Hierarchical identity-based encryption and signature schemes

ABSTRACT

Methods are provided for encoding and decoding a digital message between a sender and a recipient in a system including a plurality of private key generators (“PKGs”). The PKGs include at least a root PKG and n lower-level PKG in the hierarchy between the root PKG and the recipient. A root key generation secret is selected and is known only to the root PKG. A root key generation parameter is generated based on the root key generation secret. A lower-level key generation secret is selected for each of the n lower-level PKGs, wherein each lower-level key generation secret is known only to its associated lower-level PKG. A lower-level key generation parameter also is generated for each of the n lower-level PKGs using at least the lower-level key generation secret for its associated lower-level private key generator. The message is encoded to form a ciphertext using at least the root key generation parameter and recipient identity information associated with the recipient. A recipient private key is generated such that the recipient private key is related to at least the root key generation secret, one or more of the n lower-level key generation secrets, and the recipient identity information. The ciphertext is decoded to recover the message using at least the recipient private key.

RELATED APPLICATIONS

[0001] Applicants hereby claim priority under 35 U.S.C. § 119(e) toprovisional U.S. patent applications Ser. No. 60/366,292, filed on Mar.21, 2002, and Ser. No. 60/366,196, filed on Mar. 21, 2002, both of whichare incorporated herein by reference.

BACKGROUND OF THE INVENTION

[0002] The present invention relates in general to cryptography andsecure communication via computer networks or via other types of systemsand devices, and more particularly to hierarchical, identity-basedschemes for encrypting and decrypting communications.

[0003] Roughly speaking, identity-based cryptosystems are public keycryptosystems in which the public key of an entity is derived frominformation associated with the entity's identity. For instance, theidentity information may be personal information (i.e., name, address,email address, etc.), or computer information (i.e., IP address, etc.).However, identity information may include not only information that isstrictly related to an entity's identity, but also widely availableinformation such as the time or date. That is, the importance of theconcept of identity information is not its strict relation to theentity's identity, but that the information is readily available toanyone who wishes to encrypt a message to the entity.

[0004] An entity's private key is generated and distributed by a trustedparty or logical process, typically known as a private key generator(“PKG”). The PKG uses a master secret to generate private keys. Becausean entity's public key may be derived from its identity, when Alicewants to send a message to Bob, she does not need to retrieve Bob'spublic key from a database. Instead, Alice merely derives the keydirectly from Bob's identifying information. Databases of public keysare unnecessary. Certificate authorities (“CAs”) also are unnecessary.There is no need to “bind” Bob's identity to his public key because hisidentity is his public key.

[0005] The concept of identity-based cryptosystems is not new. It wasproposed in A. Shamir, Identity-Based Cryptosystems and SignaturesSchemes, ADVANCES IN CRYPTOGRAPHY—CRYPTO '84, Lecture Notes in ComputerScience 196 (1984), Springer, 47-53. However, practical identity-basedencryption schemes have not been found until recently. For instance,identity-based schemes were proposed in C. Cocks, An Identity-BasedEncryption Scheme Based on Quadratic Residues, available athttp://www.cesg.gov.uk/technology/id-pkc/media/ciren.pdf; D. Boneh, M.Franklin, Identity Based Encryption from the Weil Pairing, ADVANCES INCRYPTOLOGY—CRYPTO 2001, Lecture Notes in Computer Science 2139 (2001),Springer, 213-229; and D. Boneh, M. Franklin, Identity Based Encryptionfrom the Weil Pairing (extended version), available athttp://www.cs.stanford.edu/˜dabo/papers/ibe.pdf. Cocks's scheme is basedon the “Quadratic Residuosity Problem,” and although encryption anddecryption are reasonably fast (about the speed of RSA), there issignificant message expansion (i.e., the bit-length of the ciphertext ismany times the bit-length of the plaintext). The Boneh-Franklin schemebases its security on the “Bilinear Diffie-Hellman Problem,” and it isquite fast and efficient when using Weil or Tate pairings onsupersingular elliptic curves or abelian varieties.

[0006] However, the known identity-based encryption schemes have asignificant shortcoming—they are not hierarchical. In non-identity-basedpublic key cryptography, it has been possible to have a hierarchy of CAsin which the root CA can issue certificates for other CAs, who in turncan issue certificates for users in particular domains. This isdesirable because it reduces the workload on the root CA. A practicalhierarchical scheme for identity-based cryptography has not beendeveloped.

[0007] Ideally, a hierarchical identity-based encryption scheme wouldinvolve a hierarchy of logical or actual PKGs. For instance, a root PKGmay issue private keys to other PKGs, who in turn would issue privatekeys to users in particular domains. It also would be possible to sendan encrypted communication without an online lookup of the recipient'spublic key or lower-level public parameters, even if the sender is notin the system at all, as long as the sender obtained the publicparameters of the root PKG. Another advantage of a hierarchicalidentity-based encryption scheme would be damage control. For instance,disclosure of a domain PKG's secret would not compromise the secrets ofhigher-level PKGs, or of any other PKGs that are not direct descendentsof the compromised domain PKG. The schemes taught by Cocks andBoneh-Franklin do not have these properties.

[0008] A secure and practical hierarchical identity-based encryptionscheme has not been developed. A hierarchical identity-based key sharingscheme with partial collusion-resistance is given in G. Hanaoka, T.Nishioka, Y. Zheng, H. Imai, An Efficient Hierarchical Identity-BasedKey-Sharing Method Resistant Against Collusion Attacks, ADVANCES INCRYPTOGRAPHY—ASIACRYPT 1999, Lecture Notes in Computer Science 1716(1999), Springer 348-362; and G. Hanaoka, T. Nishioka, Y. Zheng, H.Imai, A Hierarchical Non-Interactive Key-Sharing Scheme With Low MemorySize and High Resistance Against Collusion Attacks, to appear in THECOMPUTER JOURNAL. In addition, an introduction to hierarchicalidentity-based encryption was provided in J. Horwitz, B. Lynn, TowardHierarchical Identity-Based Encryption, to appear in ADVANCES INCRYPTOGRAPHY—EUROCRYPT 2002, Lecture Notes in Computer Science.Springer. Horwitz and Lynn proposed a two-level hierarchical scheme withtotal collusion-resistance at the first level and partialcollusion-resistance at the second level (i.e., users can collude toobtain the secret of their domain PKG and thereafter masquerade as thatdomain PKG). However, the complexity of the Horwitz-Lynn systemincreases with the collusion-resistance at the second level, andtherefore that scheme cannot be both practical and secure.

[0009] Accordingly, there has been a need for a secure and practicalhierarchical identity-based encryption scheme. It is therefore an objectof the present invention to provide a secure and practical hierarchicalidentity-based encryption scheme. It is another object of the presentinvention to provide a secure and practical hierarchical identity-basedsignature scheme. It is a further object of the present invention thatthe encryption and signature schemes be fully scalable. It is a stillfurther object of the present invention that the encryption andsignature schemes have total collusion resistance on an arbitrary numberof levels, and that they have chosen-ciphertext security in the randomoracle model.

BRIEF SUMMARY OF THE PREFERRED EMBODIMENTS

[0010] In accordance with the present invention, methods are providedfor implementing secure and practical hierarchical identity-basedencryption and signature schemes.

[0011] According to one aspect of the present invention, a method isprovided for encoding and decoding a digital message between a senderand a recipient in a system including a plurality of private keygenerators (“PKGs”). The PKGs include at least a root PKG and nlower-level PKG in the hierarchy between the root PKG and the recipient,wherein n≧1. A root key generation secret is selected and is known onlyto the root PKG. A root key generation parameter is generated based onthe root key generation secret. A lower-level key generation secret isselected for each of the n lower-level PKGs, wherein each lower-levelkey generation secret is known only to its associated lower-level PKG. Alower-level key generation parameter also is generated for each of the nlower-level PKGs using at least the lower-level key generation secretfor its associated lower-level private key generator. The message isencoded to form a ciphertext using at least the root key generationparameter and recipient identity information. A recipient private key isgenerated such that the recipient private key is related to at least theroot key generation secret, one or more of the n lower-level keygeneration secrets associated with the n lower-level PKGs in thehierarchy between the root PKG and the recipient, and the recipientidentity information. The ciphertext is decoded to recover the messageusing at least the recipient private key.

[0012] According to another aspect of the present invention, a method isprovided for encoding and decoding a digital message between a senderand a recipient in a system including a plurality of private keygenerators (“PKGs”). The PKGs include at least a root PKG, m lower-levelPKGs in the hierarchy between the root PKG and the sender, wherein m≧1,n lower-level PKG in the hierarchy between the root PKG and therecipient, wherein n≧1, and PKG_(l), which is a common ancestor PKG toboth the sender and the recipient. In the hierarchy, l of the m privatekey generators are common ancestors to both the sender and therecipient, wherein l≧1.

[0013] According to this aspect of the invention, a lower-level keygeneration secret is selected for each of the m lower-level PKGs in thehierarchy between the root PKG and the sender. A sender private key isgenerated such that the sender private key is related to at least theroot key generation secret, one or more of the m lower-level keygeneration secrets associated with the m lower-level PKGs in thehierarchy between the root PKG and the sender, and sender identityinformation. A recipient private key is generated such that therecipient private key is related to at least the root key generationsecret, one or more of the n lower-level key generation secretsassociated with the n lower-level PKGs in the hierarchy between the rootPKG and the recipient, and recipient identity information. The messageis encoded using at least the recipient identity information, the senderprivate key, and zero or more of the lower-level key generationparameters associated with the (m−l+1) private key generators at orbelow the level of the common ancestor PKG_(l), but not using any of thelower-level key generation parameters that are associated with the (l−1)PKGs above the common ancestor PKG_(l). The message is decoded using atleast the sender identity information, the recipient private key, andzero or more of the lower-level key generation parameters associatedwith the (n−l+1) private key generators at or below the level of thecommon ancestor PKG_(l), but not using any of the lower-level keygeneration parameters that are associated with the (l−1) PKGs above thecommon ancestor PKG_(l).

[0014] According to another aspect of the present invention, a method isprovided for generating and verifying a digital signature of a messagebetween a sender and a recipient in a system including a plurality ofPKGs. The PKGs include at least a root PKG and n lower-level PKG in thehierarchy between the root PKG and the sender, wherein n≧1. A root keygeneration secret is selected and is known only to the root PKG. A rootkey generation parameter is generated based on the root key generationsecret. A lower-level key generation secret is selected for each of then lower-level PKGs, wherein each lower-level key generation secret isknown only to its associated lower-level PKG. A lower-level keygeneration parameter also is generated for each of the n lower-levelPKGs using at least the lower-level key generation secret for itsassociated lower-level private key generator. A private key is generatedfor the sender such that the private key is related to at least the rootkey generation secret and sender identity information. The message issigned to generate the digital signature using at least the senderprivate key. The digital message is verified using at least the root keygeneration parameter and the sender identity information.

BRIEF DESCRIPTION OF THE DRAWINGS

[0015] The subsequent description of the preferred embodiments of thepresent invention refers to the attached drawings, wherein:

[0016]FIG. 1 shows a flow diagram illustrating a method of encoding anddecoding a digital message according to one presently preferredembodiment of the invention;

[0017]FIG. 2 shows a flow diagram illustrating a method of encoding anddecoding a digital message between a sender y and a recipient zaccording to another presently preferred embodiment of the invention;

[0018]FIG. 3 shows a block diagram illustrating a typical hierarchicalstructure in which this method of FIG. 2 may be performed;

[0019]FIG. 4 shows a flow diagram illustrating a method of encoding anddecoding a digital message M communicated between a sender y and arecipient z according to another presently preferred embodiment of theinvention;

[0020]FIG. 5 shows a flow diagram illustrating a method of encoding anddecoding a digital message M communicated between a sender y and arecipient z according to another presently preferred embodiment of theinvention;

[0021]FIG. 6 shows a flow diagram illustrating a method of encoding anddecoding a digital message M communicated between a sender y and arecipient z according to another presently preferred embodiment of theinvention;

[0022]FIG. 7 shows a flow diagram illustrating a method of generatingand verifying a digital signature according to another presentlypreferred embodiment of the invention;

[0023]FIG. 8 shows a flow diagram illustrating a method of generatingand verifying a digital signature Sig of a digital message Mcommunicated between a sender y and a recipient z according to anotherpresently preferred embodiment of the invention; and

[0024]FIG. 9 shows a flow diagram illustrating a method of generatingand verifying a digital signature Sig of a digital message Mcommunicated between a sender y and a recipient z according to anotherpresently preferred embodiment of the invention.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

[0025] The presently preferred methods of the invention provide secureand practical hierarchical identity-based encryption (“HIDE”) andsignature (“HIDS”) schemes. The hierarchical schemes are fully scalable,have total collusion resistance on an arbitrary number of levels, andhave chosen-ciphertext security in the random oracle model. Theseobjectives are achieved, in part, by introducing additional randominformation at each of the lower-level PKGs. One intuitively surprisingaspect of these schemes is that, even though lower level PKGs generateadditional random information, this does not necessitate adding publicparameters below the root level of the hierarchy. In addition, therandom information generated by a lower-level PKG does not adverselyaffect the ability of users not under the lower-level PKG to sendencrypted communications to users under the lower-level PKG.

[0026] Each of the HIDE and HIDS schemes of the present inventionrequires a hierarchical structure of PKGs, including at least one rootPKG and a plurality of lower-level PKGs. The hierarchy and thelower-level PKGs may be logical or actual. For instance, a single entitymay generate both a root key generation secret and the lower-level keygeneration secrets from which lower-level users' encryption or signaturekeys are generated. In this case, the lower-level PKGs are not separateentities, but are merely processes or information arranged in a logicalhierarchy and used to generate keys for descendent PKGs and users in thehierarchy. Alternatively, each lower-level PKG may be a separate entity.Another alternative involves a hybrid of actual and logical lower-levelPKGs. For purposes of this disclosure, the term “lower-level PKG” willbe used generically to refer to any of these alternatives.

[0027] In the context of the hierarchical identity-based cryptosystemsdisclosed herein, identity-based public keys may be based on timeperiods. For instance, a particular recipient's identity may change witheach succeeding time period. Alternatively, a recipient may arrange thetime periods as children or descendents of itself in a hierarchy, and asender would use the identity of the proper time period when encodingthe message. Either way, each key may be valid for encrypting messagesto Bob only during the associated time period.

[0028] The HIDE schemes of the present invention generally include fiverandomized algorithms: Root Setup, Lower-level Setup, Extraction,Encryption, and Decryption. Three of these algorithms rely upon theidentities of the relevant entities in the hierarchy. Each userpreferably has a position in the hierarchy that may be defined by itstuple of IDs: (ID₁, . . . , ID_(t)). The user's ancestors in thehierarchy are the root PKG and the users, or PKGs, whose ID-tuples are{(ID₁, . . . , ID_(i)): 1≦i≦(t−1)}. The ID-tuples preferably arerepresented as binary strings for purposes of computations.

[0029] In the Root Setup algorithm, the root PKG uses a securityparameter K to generate public system parameters params and a root keygeneration secret. The system parameters include a description of themessage space M and the ciphertext space C. The system parameters willbe publicly available, while only the root PKG will know the root keygeneration secret.

[0030] In the Lower-level Setup algorithm, each lower-level PKGpreferably generates its own lower-level key generation secret forpurposes of extraction. Alternatively, a lower-level PKG may generaterandom one-time secrets for each extraction.

[0031] In the Extraction algorithm, a PKG (whether the root PKG or alower-level PKG) generates a private key for any of its children. Theprivate key is generated using the system parameters, the generatingPKG's private key, and any other preferred secret information.

[0032] In the Encryption algorithm, a sender receives the systemparameters from the root PKG, preferably via some secure means outsidethe present system. It is not necessary for the sender to receive any ofthe lower-level key generation parameters. The sender encodes a messageM∈M to generate a ciphertext C∈C using params and the ID-tuple of theintended recipient. Conversely, in the Decryption algorithm, therecipient decodes the ciphertext C to recover the message M using paramsand the recipient's private key d. Encryption and decryption preferablysatisfy the standard consistency constraint:

[0033] ∀M∈M: Decryption(params, d, C)=M

[0034] where C=Encryption(params, ID-tuple, M).

[0035] Like the HIDE schemes, the HIDS schemes of the present inventionalso generally include five randomized algorithms: Root Setup,Lower-level Setup, Extraction, Signing, and Verification. For RootSetup, the system parameters are supplemented to include a descriptionof the signature space S. Lower-level Setup and Extraction preferablyare the same as for HIDE, as described above.

[0036] In the Signing algorithm, the sender of a digital message signsthe message M∈M to generate a signature S∈S using params and thesender's private key d. In the Verification algorithm, the recipient ofthe signed message verifies the signature S using params and theID-tuple of the sender. The Verification algorithm preferably outputs“valid” or “invalid”. Signing and Verification also preferably satisfiesa consistency constraint:

[0037] ∀M∈M: Verification (params, ID-tuple, S)=“valid”

[0038] where S=Signing(params, d, M).

[0039] Security of HIDE and HIDS Schemes

[0040] The security of the schemes embodying the present invention willnow be discussed with respect to both HIDE and HIDS. It has been notedin the context of non-hierarchical identity-based cryptography that thestandard definition of chosen-ciphertext security must be strengthenedfor identity-based systems. This is because it should be assumed, forpurposes of a security analysis, that an adversary can obtain theprivate key associated with any identity of its choice (other than theparticular identity being attacked). The same applies to hierarchicalidentity-based cryptography. Accordingly, to establish that the HIDEschemes of the present invention are chosen-ciphertext secure, asimulated attacker is allowed to make private key extraction queries.Also, the simulated adversary is allowed to choose the identity on whichit wishes to be challenged.

[0041] It should also be noted that an adversary may choose the identityof its target adaptively or nonadaptively. An adversary that chooses itstarget adaptively will first make hash queries and extraction queries,and then choose its target based on the results of these queries. Suchan adversary might not have a particular target in mind when it beginsthe attack. Rather, the adversary is successful it is able to hacksomebody. A nonadaptive adversary, on the other hand, chooses its targetindependently from results of hash queries and extraction queries. Forexample, such an adversary might target a personal enemy. The adversarymay still make hash queries and extraction queries, but its targetchoice is based strictly on the target's identity, not on the queryresults. Obviously, security against an adaptively-chosen-targetadversary is the stronger, and therefore preferable, notion of security.However, the security analysis of the HIDE schemes in the presentinvention address both types of security.

[0042] A HIDE scheme is said to be semantically secure against adaptivechosen ciphertext and adaptive chosen target attack if no polynomiallybounded adversary A has a non-negligible advantage against thechallenger in the following game.

[0043] SETUP: The challenger takes a security parameter k and runs theRoot Setup algorithm. It gives the adversary the resulting systemparameters params. It keeps the root key generation secret to itself.

[0044] PHASE 1: The adversary issues queries q₁, . . . , q_(m), whereq_(i) is one of:

[0045] 1. Public-key query (ID-tuple_(i)): The challenger runs a hashalgorithm on ID-tuple_(i) to obtain the public key H (ID-tuple_(i))corresponding to ID-tuple_(i).

[0046] 2. Extraction query (ID-tuple_(i)): The challenger runs theExtraction algorithm to generate the private key d_(i) corresponding toID-tuple_(i), and sends d_(i) to the adversary.

[0047] 3. Decryption query (ID-tuple_(i), C_(i)): The challenger runsthe Extraction algorithm to generate the private key d_(i) correspondingto ID-tuple_(i), runs the Decryption algorithm to decrypt C_(i) usingd_(i), and sends the resulting plaintext to the adversary.

[0048] These queries may be asked adaptively. In addition, the queriedID-tuple_(i) may correspond to a position at any level of the hierarchy.

[0049] CHALLENGE: Once the adversary decides that Phase 1 is over, itoutputs two equal-length plaintexts M₀, M₁∈M and an ID-tuple on which itwishes to be challenged. The only constraints are that neither thisID-tuple nor its ancestors appear in any private key extraction query inPhase 1. The challenger picks a random bit b C∈{0,1} and setsC=Encryption(params, ID-tuple, M_(b)). It sends C as a challenge to theadversary.

[0050] PHASE 2: The adversary issues more queries q_(m+1), . . . , q_(n)where q_(i) is one of:

[0051] 1. Public-key query (ID-tuple_(i)): The challenger responds as inPhase 1.

[0052] 2. Extraction query (ID-tuple_(i)): The challenger responds as inPhase 1.

[0053] 3. Decryption query (C, ID-tuple_(i)): The challenger responds asin Phase 1.

[0054] The queries in Phase 2 are subject to the constraint that thechallenger cannot make an Extraction query on the ID-tuple associatedwith the challenge ciphertext C, or make a Decryption query using thatID-tuple and the ciphertext C. This same constraint also applies to allancestors of the ID-tuple.

[0055] GUESS: The adversary outputs a guess b′∈{0,1}. The adversary winsthe game if b=b′. The adversary's advantage in attacking the scheme isdefined to be |Pr[b=b′]−½|.

[0056] A HIDE schemes is said to be a one-way encryption scheme if nopolynomial time adversary has a non-negligible advantage in the gamedescribed below. In this game, the adversary A is given a random publickey K_(pub) and a ciphertext C that is the encryption of a randommessage M using K_(pub), and outputs a guess for the plaintext. Theadversary is said to have an advantage ε against the scheme if ε is theprobability that A outputs M. The game is played as follows:

[0057] SETUP: The challenger takes a security parameter k and runs theRoot Setup algorithm. It gives the adversary the resulting systemparameters params. It keeps the root key generation secret to itself.

[0058] PHASE 1: The adversary makes public key and/or extraction queriesas in Phase 1 of the chosen-ciphertext security analysis describedabove.

[0059] CHALLENGE: Once the adversary decides that Phase 1 is over, itoutputs a new ID-tuple ID on which it wishes to be challenged. Thechallenger picks a random M∈M and sets C=Encryption(params, ID-tuple,M). It sends C as a challenge to the adversary.

[0060] PHASE 2: The adversary issues more public-key queries and moreextraction queries on identities other than ID and its ancestors, andthe challenger responds as in Phase 1.

[0061] GUESS: The adversary outputs a guess M′∈M. The adversary wins thegame if M=M′. The adversary's advantage in attacking the scheme isdefined to be Pr[M=M′].

[0062] The schemes of the present invention are secure against thechallenges described above. In addition, the HIDS schemes of the presentinvention are secure against existential forgery on adaptively chosenmessages. An adversary should be unable to forge its target's signatureon other messages that the target has not signed previously, even after(adaptively) obtaining the target's signature on messages of theadversary's choosing. A HIDS adversary also will have the ability tomake public key queries and private key extraction queries on entitiesother than the target and its ancestors, and the ability to choose itstarget. As with HIDE, the adversary's choice of target may be adaptiveor nonadaptive.

[0063] Pairings

[0064] The presently preferred HIDE and HIDS schemes of the presentinvention are based on pairings, such as, for instance, the Weil or Tatepairings associated with elliptic curves or abelian varieties. Themethods also are based on the Bilinear Diffie-Hellman problem. They usetwo cyclic groups G₁ and G₂, preferably of the same large prime order q.The first group G₁ preferably is a group of points on an elliptic curveor abelian variety, and the group law on G₁ may be written additively.The second group G₂ preferably is a multiplicative subgroup of a finitefield, and the group law on G₂ may be written multiplicatively. However,other types of groups may be used as G₁ and G₂ consistent with thepresent invention.

[0065] The methods also use a generator P₀ of the first group G₁. Inaddition, a pairing or function ê: G₁×G₁→G₂ is provided for mapping twoelements of the first group G₁ to one element of the second group G₂.The function ê preferably satisfies three conditions. First, thefunction ê preferably is bilinear, such that if Q and R are in G₁ and aand b are integers, then ê(aQ, bR)=ê(Q, R)^(ab). Second, the function êpreferably is non-degenerate, such that the map does not send all pairsin G₁×G₁ to the identity in G₂. Third, the function ê preferably isefficiently computable. A function ê satisfying these three conditionsis considered to be admissible.

[0066] The function ê also preferably is symmetric, such that ê(Q,R)=ê(R, Q) for all Q, R∈G₁. Symmetry, however, follows immediately fromthe bilinearity and the fact that G₁ is a cyclic group. Weil and Tatepairings associated with supersingular elliptic curves or abelianvarieties can be modified to create such bilinear maps according tomethods known in the art. However, even though reference to elements ofthe first cyclic group G₁ as “points” may suggest that the function êwill work. it should be noted that any admissible pairing ê will work.

[0067] The security of the HIDE and HIDS schemes of the presentinvention is based primarily on the difficulty of the BilinearDiffie-Hellman problem. The Bilinear Diffie-Hellman problem is that offinding ê(P, P)^(abc) given a randomly chosen P∈G₁, as well as aP, bP,and cP (for unknown randomly chosen a, b, c∈Z/qZ). Solving theDiffie-Hellman problem in G₁ solves the Bilinear Diffie-Hellman problembecause ê(P, P)^(abc)=ê(abP, cP). Similarly, solving the Diffie-Hellmanproblem in G₂ solves the Bilinear Diffie-Hellman problem because, ifg=ê(P, P), then g^(abc)=(g^(ab))^(c) where g^(ab)=ê(aP, bP) andg^(c)=ê(P, cP). For the Bilinear Diffie-Hellman problem to be hard, G₁and G₂ should be chosen such that there is no known algorithm forefficiently solving the Diffie-Hellman problem in either G₁ or G₂. Ifthe Bilinear Diffie-Hellman problem is hard for a pairing ê, then itfollows that ê is non-degenerate.

[0068] A randomized algorithm IG is a Bilinear Diffie-Hellman generatorif IG takes a security parameter k>0, runs in time polynomial in k, andoutputs the description of two groups G₁ and G², preferably of the sameprime order q, and the description of an admissible pairing ê: G₁×G₁→G₂.If IG is a Bilinear Diffie-Hellman parameter generator, the advantageAdv_(IG)(B) that an algorithm B has in solving the BilinearDiffie-Hellman problem is defined to be the probability that thealgorithm B outputs ê(P, P)^(abc) when the inputs to the algorithm areG₁, G₂, ê, P, aP, bP, and cP, where (G₁, G₂, ê) is the output of IG fora sufficiently large security parameter K, P is a random generator ofG₁, and a, b, and c are random elements of Z/qZ. The assumptionunderlying the Bilinear Diffie-Hellman problem is that Adv_(IG)(B) isnegligible for all efficient algorithms B.

[0069] HIDE Schemes

[0070] Referring now to the accompanying drawings, FIG. 1 shows a flowdiagram illustrating a method of encoding and decoding a digital messageaccording to one presently preferred embodiment of the invention. Themethod is performed in a HIDE system including a plurality of PKGs. ThePKGs include at least a root PKG and n lower-level PKGs in the hierarchybetween the root PKG and the recipient, wherein n≧1.

[0071] In block 102, the root PKG selects a root key generation secretknown only to the root PKG. The root key generation secret may be usedto generate private keys for PKGs and/or users below the root PKG in thehierarchy. The root PKG then generates a root key generation parameterbased on the root key generation secret in block 104. The root keygeneration parameter is used to mask the root key generation secret. Theroot key generation parameter may be revealed to lower-level PKGswithout compromising the root key generation secret. The lower-levelPKGs select lower-level key generation secrets in block 106. Thelower-level key generation secret associated with a given lower-levelPKG may be used to generate private keys for PKGs and/or users below theassociated lower-level PKG in the hierarchy. Like the root keygeneration secret, each of the lower-level key generation secrets isknown only to its associated lower-level PKG.

[0072] In block 108, lower-level key generation parameters are generatedfor each of the n lower-level PKGs. Each of the lower-level keygeneration parameters is generated using at least the lower-level keygeneration secret for its associated lower-level PKG. Like the root keygeneration parameter, each of the lower-level key generation parametersmasks its associated lower-level key generation secret.

[0073] Using at least the root key generation parameter and identityinformation associated with the recipient, the sender encodes themessage in block 110 to form a ciphertext. For instance, the message maybe encoded using only the root key generation parameter and therecipient's identity. Alternatively, one of the lower-level keygeneration parameters may be used, such as is described in more detailbelow with respect to dual-HIDE schemes. In block 112, a lower-level PKGgenerates a private key for the recipient such that the private key isrelated to at least the root key generation secret, one or more of the nlower-level key generation secrets associated with the n lower-levelPKGs in the hierarchy between the root PKG and the recipient, and therecipient's identity information. For instance, in addition to root keygeneration secret and the recipient's identity information, therecipient's private key preferably also is related at least to thelower-level key generation secret of the PKG that issued the private keyto the recipient. Alternatively, the recipient's private key may berelated to all n of its ancestral PKG's lower-level key generationsecrets, as well as the root key generation secret. In block 114, therecipient uses at least its private key to decode the ciphertext andrecover the message. In addition to using its private key to decode, therecipient preferably also uses the n lower-level key generationparameters associated with the n lower-level PKGs in the hierarchybetween the root PKG and the recipient.

[0074] Each lower-level PKG has a key generation secret, just like theroot PKG. As described above, a lower-level PKG preferably uses thissecret to generate a private key for each of its children, just as theroot PKG does. As a result, the children's private keys are related tothe lower-level PKG's key generation secret. This is true even if thelower-level PKG uses a modified version of its key generation secret toobscure that secret for purposes of restricting key escrow, as describedmore fully below. At the same time, the lower-level PKGs need not alwaysuse the same secret for each private key extraction. Rather, a new keygeneration secret could be generated randomly for each of the PKG'schildren, resulting in a different key generation parameter for eachchild.

[0075] Because a lower-level PKG is able to generate a private key forthe recipient (block 112), the root PKG need not generate all of theprivate keys itself. In addition, because the lower-level PKGs use theirown key generation secrets to generate private keys for theirdescendants, compromising a lower-level key generation secret causesonly limited security damage to the hierarchy. Rather than compromisingall of the private keys in the hierarchy, a breach of a lower-level PKGcompromises only the private key of that PKG and those private keys thatwere generated using that PKG's key generation secret (i.e., the privatekeys of those users that are direct hierarchical descendants of thecompromised PKG).

[0076] Another advantage of this embodiment is that the sender need notbe in the hierarchy to send an encoded message to the recipient. Thesender merely needs to know the identity information associated with therecipient and the system parameters generated by the root PKG. There arehowever, certain additional advantages of the HIDE schemes of thepresent invention that become available when the sender is positionedwithin the hierarchy. For instance, when both the sender and therecipient are in the hierarchy, the efficiency of the message encryptionmay be improved by using the identities of both parties. This type ofHIDE scheme may be referred to as dual-HIDE because the identities ofboth the sender and the recipient are used as input for the encryptionand decryption algorithms. A method of encoding and decoding a messageusing a dual-HIDE scheme will now be discussed with reference to FIGS. 2and 3.

[0077] Dual-HIDE

[0078]FIG. 2 shows a flow diagram illustrating a method of encoding anddecoding a digital message between a sender y and a recipient zaccording to another presently preferred embodiment of the invention.FIG. 3 shows a block diagram illustrating a typical hierarchicalstructure in which this method may be performed. Like the previousembodiment, this method is performed in a HIDE system including at leasta root PKG 302 and n lower-level PKGs 304 a,b,d in the hierarchy betweenthe root PKG 302 and the recipient z 308, wherein n≧1. The sender y 306in this embodiment also must be in the hierarchy, and the hierarchy alsoincludes m lower-level PKGs 304 a,b,c between the root PKG 302 and thesender y 306, wherein m≧1. Of the m PKGs 304 a,b,c between the root PKG302 and the sender y 306, and the n PKGs 304 a,b,d between the root PKG302 and the recipient z 308, there are l PKGs 304 a,b that are commonancestors to both the sender y 306 and the recipient z 308, wherein1≦l≦m, n. For instance, two of these l common ancestral PKGs(PKG_(y1)/PKG_(z1) 304 a and PKG_(yl)/PKG_(zl) 304 b) are shown in FIG.3.

[0079] The method of this embodiment begins in block 202, when the rootPKG 302 selects a root key generation secret known only to the root PKG302. The root PKG 302 then generates a root key generation parameterbased on the root key generation secret in block 204. The lower-levelPKGs 304 a-d select lower-level key generation secrets in block 206.Like the root key generation secret, each of the lower-level keygeneration secrets is known only to its associated lower-level PKG 304a-d. In block 208, lower-level key generation parameters are generatedfor each of the n lower-level PKGs 304 a-d. Each of the lower-level keygeneration parameters is generated using at least the lower-level keygeneration secret for its associated lower-level PKG 304 a-d.

[0080] In block 210, the sender's parent PKG_(ym) 304 c generates aprivate key for the sender y 306 such that the private key is related toat least the root key generation secret, one or more of the mlower-level key generation secrets associated with the m lower-levelPKGs 304 a,b,c between the root PKG 302 and the sender y 306, and thesender's identity information. For instance, in addition to root keygeneration secret and the sender's identity information, the sender'sprivate key preferably is related at least to the lower-level keygeneration secret of the sender's parent PKG_(ym) 304 c. Alternatively,the sender's private key may be related to all m of its direct ancestralPKGs' lower-level key generation secrets, as well as the root keygeneration secret. In block 212, the recipient's parent PKG_(zn) 304 dgenerates a private key for the recipient z in a similar manner that thesender's parent PKG_(ym) 304 c used to generate the sender's privatekey.

[0081] In block 214, the sender y encodes the message to form aciphertext using at least the sender's private key and one or more ofthe lower-level key generation parameters associated with the (m−l+1)PKGs (i.e., PKG_(yl), 304 b and PKG_(ym) 304 c) between the root PKG 302and the sender y 306 that are at or below the level of the lowestancestor PKG (PKG_(yl)/PKG_(zl) 304 b) that is common to both the sendery 306 and the recipient z 308. In encoding the message, the sender y 306preferably does not use any of the lower-level key generation parametersthat are associated with the (l−1) PKGs (i.e., PKG_(y1) 304 a) that areabove the lowest common ancestor PKG (PKG_(yl)/PKG_(zl) 304 b).

[0082] The recipient z 308 then decodes the ciphertext to recover themessage in block 216 using at least the recipient's private key and oneor more of the lower-level key generation parameters associated with the(n−l+1) PKGs (i.e., PKG_(zl), 304 b and PKG_(zn) 304 c) between the rootPKG 302 and the recipient z 308 that are at or below the level of thelowest ancestor PKG (PKG_(yl)/PKG_(zl) 304 b) that is common to both thesender y 306 and the recipient z 308. In decoding the message, therecipient z 306 preferably does not use any of the lower-level keygeneration parameters that are associated with the (l−1) PKGs (i.e.,PKG_(z1) 304 a) that are above the lowest common ancestor PKG(PKG_(yl)/PKG_(zl) 304 b).

[0083] This dual-HIDE embodiment of the invention provides a moreefficient scheme for encoding and decoding the message because itrequires the use of fewer key generation parameters. For instance,decoding in a regular HIDE scheme preferably requires all n of the keygeneration parameters, but decoding in a dual-HIDE scheme preferablyrequires only (n−l+1) of the key generation parameters. Dual-HIDEschemes require the sender y 306 to obtain its private key beforesending an encoded message to the recipient z 308, as opposed to merelyobtaining the public system parameters of the root PKG. The dual-HIDEschemes also enable the sender y 306 and the recipient z 308 to restrictthe scope of key escrow, as described more fully below. This sharedsecret is unknown to third parties other than their lowest commonancestor PKG_(yl)/PKG_(zl) 304 b.

[0084] BasicHIDE

[0085]FIG. 4 shows a flow diagram illustrating a method of encoding anddecoding a digital message M communicated between a sender y and arecipient z according to another presently preferred embodiment of theinvention. The recipient z 308 is n+1 levels below the root PKG in thehierarchy, as shown in FIG. 3, and is associated with the ID-tuple(ID_(z1), . . . , ID_(z(n+1))). The recipient's ID-tuple includesidentity information ID_(z(n+1)) associated with the recipient, as wellas identity information ID_(zi) associated with each of its n ancestrallower-level PKGs in the hierarchy. The method begins in block 402 bygenerating first and second cyclic groups G₁ and G₂ of elements. Inblock 404, a function ê is selected, such that the function ê is capableof generating an element of the second cyclic group G₂ from two elementsof the first cyclic group G₁. The function ê preferably is an admissiblepairing, as described above. A root generator P₀ of the first cyclicgroup G₁ is selected in block 406. In block 408, a random root keygeneration secret s₀ associated with and known only to the root PKG 302is selected. Preferably, s₀ is an element of the cyclic group Z/qZ. Aroot key generation parameter Q₀=s₀P₀ is generated in block 410.Preferably, Q₀ is an element of the first cyclic group G₁. In block 412,a first function H₁ is selected such that H₁ is capable of generating anelement of the first cyclic group G₁ from a first string of binarydigits. A second function H₂ is selected in block 414, such that H₂ iscapable of generating a second string of binary digits from an elementof the second cyclic group G₂. The functions of blocks 402 through 414are part of the HIDE Root Setup algorithm described above, andpreferably are performed at about the same time. By way of example, thefunctions such as those disclosed in Boneh-Franklin may be used as H₁and H₂.

[0086] The next series of blocks (blocks 416 through 424) show thefunctions performed as part of Lower-level Setup algorithm. In block416, a public element P_(zi) is generated for each of the recipients' nancestral lower-level PKGs. Each of the public elements, P_(zi)=H₁(ID₁,. . . , ID_(zi)) for 1≦i≦n, preferably is an element of the first cyclicgroup G₁. Although represented in a single block, generation of all thepublic elements P_(zi) may take place over time, rather than all atonce.

[0087] A lower-level key generation secret s_(zi) is selected (block418) for each of the recipients' n ancestral lower-level PKGs 304 a,b,d.The lower-level key generation secrets s_(zi) preferably are elements ofthe cyclic group Z/qZ for 1≦i≦n, and each lower-level key generationsecret s_(zi) preferably is known only to its associated lower-levelPKG. Again, although represented in a single block, selection of all thelower-level key generation secrets s_(zi) may take place over time,rather than all at once.

[0088] A lower-level secret element S_(zi) is generated (block 420) foreach of the sender's n ancestral lower-level PKGs. Each lower-levelsecret element, S_(zi)=S_(z(i−1))+s_(z(i−1))P_(zi) for 1≦i≦n, preferablyis an element of the first cyclic group G₁. Although represented in asingle block like the public elements P_(zi) and the secrets s_(zi),generation of all the secret elements S_(zi) may take place over time,rather than all at once. For purposes of these iterative key generationprocesses, S₀ may be defined to be the identity element of G₁.

[0089] A lower-level key generation parameter Q_(zi) also is generated(block 422) for each of the recipients' n ancestral lower-level PKGs.Each of the key generation parameters, Q_(zi)=s_(zi)P₀ for 1≦i≦n,preferably is an element of the first cyclic group G₁. Again, althoughrepresented in a single block, generation of all the key generationparameters Q_(zi) may take place over time, rather than all at once.

[0090] The functions of the next two blocks (blocks 424 and 426) areperformed as part of the Extraction algorithm described above. Arecipient public element P_(z(n+1)) associated with the recipient z isgenerated in block 424. The recipient public element,P_(z(n+1))=H₁(ID_(z1), . . . , ID_(z(n+1))), preferably is an element ofthe first cyclic group G₁. A recipient secret element S_(z(n+1))associated with the recipient z is then generated in block 426. Therecipient secret element${S_{z{({n + 1})}} = {{S_{zn} + {s_{zn}P_{z{({n + 1})}}}} = {\sum\limits_{i = 1}^{n + 1}\quad {s_{z{({i - 1})}}P_{zi}}}}},$

[0091] also preferably is an element of the first cyclic group G₁.

[0092] For convenience, the first function H₁ optionally may be chosento be an iterated function so that, for example, the public points P_(i)may be computed as H₁(P_(z(i−1)), ID_(zi)) rather than H_(1 (ID) ₁, . .. , ID_(zi)).

[0093] The last two blocks shown in FIG. 4 (blocks 428 and 430)represent the Encryption and Decryption algorithms described above. Inblock 428, the message M is encoded to generate a ciphertext C. Theencoding preferably uses at least the root key generation parameter Q₀and the ID-tuple (ID_(z1), . . . , ID _(z(n+1))). The ciphertext C isthen decoded in block 430 to recover the message M. The decodingpreferably uses at least the lower-level key generation parametersQ_(zi) for 1<i<n, and the recipient secret element S_(z(n+1)).

[0094] The blocks shown in FIG. 4 need not all occur in sequence. Forinstance, a sender who knows a recipient's identity may encryptcommunications to the recipient before the recipient obtains its privatekey.

[0095] The specific use of the parameters and elements described abovein the encoding and decoding of the message M and the ciphertext C willnow be discussed with reference to FIGS. 5 and 6. FIG. 5 shows a flowdiagram illustrating a method of encoding and decoding a digital messageM communicated between a sender y and a recipient z according to anotherpresently preferred embodiment of the invention. In this scheme, whichmay be referred to as BasicHIDE, the Root Setup, Lower-level Setup, andExtraction algorithms are the same as for the embodiment shown in blocks402 through 426 of FIG. 4. The flow diagram of FIG. 5 illustrates theEncryption and Decryption algorithms, beginning with the selection of arandom encryption parameter r in block 528 a. Preferably, r is aninteger of the cyclic group Z/qZ. The ciphertext C is then generated inblock 528 b using the formula C=[U₀, U₂, . . . , U_(n+1), V]. Theciphertext C includes elements U_(i)=rP_(zi) for i=0 and for 2≦i≦n+1,which relate to the location of the recipient in the hierarchy. Theother part of the ciphertext C is the actual message in encrypted form,V=M⊕H₂(g^(r)), wherein g=ê(Q₀, P_(z1)). The element g preferably is amember of the second cyclic group G₂. After the message has beenencoded, it may be decoded according to the BasicHIDE Decryptionalgorithm, in which the message M is recovered from the ciphertext C(block 530) using the formula$M = {V \oplus {{H_{2}\left( \frac{\hat{e}\left( {U_{0},S_{n + 1}} \right)}{\prod\limits_{i = 2}^{n + 1}\quad {\hat{e}\left( {Q_{i - 1},U_{i}} \right)}} \right)}.}}$

[0096] FullHIDE

[0097] Using known methods for making one-way encryption schemes secureagainst chosen-ciphertext attacks, a BasicHIDE scheme may be convertedto a FullHIDE scheme that is chosen ciphertext secure in the randomoracle model. A FullHIDE scheme that is chosen ciphertext secure willnow be discussed with reference to FIG. 6.

[0098]FIG. 6 shows a flow diagram illustrating a method of encoding anddecoding a digital message M communicated between a sender y and arecipient z according to another presently preferred embodiment of theinvention. The Root Setup, Lower-level Setup, and Extraction algorithmsare the same for this embodiment of the invention as for the embodimentdescribed with reference to FIG. 4, except that the Root Setup algorithmof this embodiment requires two additional functions. Accordingly, theflow diagram of FIG. 6 begins with the selection of the additionalfunctions (blocks 615 a and 615 b) and continues with the Encryption andDecryption algorithms (blocks 628 a through 630 d).

[0099] The Root Setup algorithm is completed by selecting a thirdfunction H₃ (block 615 a) and a fourth function H₄ (block 615 b). Thethird function H₃ preferably is capable of generating an integer of thecyclic group Z/qZ from two strings of binary digits. The fourth functionH₄ preferably is capable of generating one binary string from anotherbinary string.

[0100] The Encryption algorithm begins with block 628 a, which shows theselection of a random binary string σ. The random binary string σ isthen used to generate a random integer r=H₃(σ, M, W), as shown in block628 b, wherein W is a symmetric encryption of the actual message M. Theencryption preferably is generated using a symmetric encryptionalgorithm E, and using H₄(σ) as the encryption key. Accordingly, W=E_(H)₄ _((σ))(M). In block 628 c, the ciphertext C=[U₀, U₂, . . . , U_(n+1),V, W] is generated. The ciphertext C includes elements U_(i)=rP_(zi) fori=0 and for 2≦i≦n+1, which relate to the location of the recipient inthe hierarchy. The second part of the ciphertext C is the random binarystring σ in encrypted form, V=σ⊕H₂(g^(r)), wherein g=ê(Q₀, P_(z1)). Theelement g preferably is a member of the second cyclic group G₂. Thethird part of the ciphertext C is W, the actual message in symmetricallyencrypted form, as described above.

[0101] The Decryption algorithm begins with block 630 _(a), which showsthe recovery of the random binary string σ. The random binary string σis recovered using the formula$\sigma = {V \oplus {{H_{2}\left( \frac{\hat{e}\left( {U_{0},S_{z{({n + 1})}}} \right)}{\prod\limits_{i = 2}^{n + 1}\quad {\hat{e}\left( {Q_{i - 1},U_{i}} \right)}} \right)}.}}$

[0102] The message M is then recovered from the ciphertext C (block 630b) using the formula M=E_(H) ₄ _((σ)) ⁻¹(W). The ciphertext optionallymay be checked for internal consistency. For instance, an experimentalrandom integer r′=H₃(σ, M, W) may be generated, as shown in block 630 c.The experimental random integer r′ then may be used in block 630 d toconfirm that U₀=r′P₀ and U_(i)=r′P_(zi) for 2≦i≦n+1. If so, then theciphertext C is considered to be authentic.

[0103] Dual-BasicHIDE and Dual-FullHIDE

[0104] The concept of dual-HIDE described with reference to FIGS. 2 and3 may be applied to BasicHIDE and FullHIDE schemes. When both the senderand recipient are within the hierarchical structure, as shown in FIG. 3,dual-HIDE allows them to increase the efficiency and security of theirencrypted communications. The application of dual-HIDE to BasicHIDE andFullHIDE schemes requires the determination of additional information,most of which is determined via the Lower-level Setup algorithmdescribed above. For instance, public elements P_(yi), lower-level keygeneration secrets s_(yi), lower-level secret elements S_(yi), andlower-level key generation parameters Q_(yi) must be determined for thesender's m ancestral lower-level PKGs. Note, however, that for thelower-level PKGs that are common ancestors to both the sender y and therecipient z, these parameters preferably will be the same for purposesof analyzing both the sender y and the recipient z (i.e., preferably forall i≦l: P_(yi)=P_(zi), s_(yi)=S_(zi), S_(yi)=S_(zi), and Q_(yi)=Q_(zi))Dual-HIDE also requires determination of a sender public elementP_(y(m+1)) and a sender secret element S_(y(m+1)) for the sender, usingthe same methods for which these parameters are determined for therecipient as described above.

[0105] Given these additional parameters, a message M may be encoded togenerate a ciphertext C according the principles of dual-HIDE by usingthe lower-level key generation parameters Q_(yi) for i≧l and the sendersecret element S_(y(m+1)), but not using the lower-level key generationparameters Q_(yi) for i<l. Similarly, the ciphertext C may be decoded torecover the message M using the lower-level key generation parametersQ_(zi) for i≧l and the recipient secret element S_(z(n+1)), but notusing the lower-level key generation parameters Q_(zi) for i<l.

[0106] For instance, in a BasicHIDE scheme (FIGS. 4 and 5), applicationof dual-HIDE changes the encoding of the message M to generate aciphertext C=[U₀, U_(l+1), . . . , U_(n+1), V], wherein U_(i)=rP_(zi)for i=0 and for l+1≦i≦n+1, wherein V=M⊕H₂(g_(yl) ^(r)), and wherein$g_{yl} = {\frac{\hat{e}\left( {P_{0},S_{y{({m + 1})}}} \right)}{\prod\limits_{i = {l + 1}}^{m + 1}\quad {\hat{e}\left( {Q_{y{({i - 1})}},P_{y\quad i}} \right)}}.}$

[0107] The U_(i) factors are calculated in the same way as before, butfewer of them are necessary. However, dual-BasicHIDE does require thesender y to use more key generation parameters Q_(yi) to generate g_(yl)than are necessary to generate g as describe above. This is because thesender's identity is being incorporated into the Encryption algorithm.

[0108] The increase in efficiency of the Decryption algorithm is moredramatic. The message M is recovered using$M = {V \oplus {{H_{2}\left( \frac{\hat{e}\left( {U_{0},S_{z{({n + 1})}}} \right)}{\prod\limits_{i = {l + 1}}^{n + 1}\quad {\hat{e}\left( {Q_{z{({i - 1})}},U_{z\quad i}} \right)}} \right)}.}}$

[0109] Again, fewer U_(i) parameters are necessary. Similarly, therecipient requires fewer key generation parameters Q_(zi) for dual-HIDEthan would otherwise be necessary.

[0110] FullHIDE also may be modified to create a dual-FullHIDE scheme.Generation of the ciphertext C in the Encryption algorithm is modifiedsuch that C=[U₀, U_(l+1), . . . , U_(n+1), V, W], wherein U_(i)=rP_(zi)for i=0 and for l+1≦i≦n+1. The W and r parameters is still generated thesame way, W=E_(H) ₄ _((σ))(M) and the g_(yl) parameter in V=σ⊕H₂(g_(yl)^(r)) is generated using$g_{yl} = {\frac{\hat{e}\left( {P_{0},S_{y{({m + 1})}}} \right)}{\prod\limits_{i = {l + 1}}^{m + 1}\quad {\hat{e}\left( {Q_{y{({i - 1})}},P_{y\quad i}} \right)}}.}$

[0111] The Decryption algorithm also is modified in a dual-FullHIDEscheme. The random binary string σ is recovered using$\sigma = {V \oplus {{H_{2}\left( \frac{\hat{e}\left( {U_{0},S_{z{({n + 1})}}} \right)}{\prod\limits_{i = {l + 1}}^{n + 1}\quad {\hat{e}\left( {Q_{z{({i - 1})}},U_{z\quad i}} \right)}} \right)}.}}$

[0112] Otherwise, recovery of the message M does not change.

[0113] Although these dual-HIDE schemes have been described usingPKG_(l) 304 b as the lowest ancestor PKG common to both the sender y andthe recipient z, PKG_(l) 304 b may be any common ancestor PKG. Theencryption and decryption algorithms are the same. For maximumefficiency however, it is preferable that PKG_(l) 304 b be the lowestcommon ancestor PKG.

[0114] In addition to the increase in efficiency, the dual-HIDE schemesof the present invention also offer increased security by restrictingkey escrow. In the BasicHIDE and FullHIDE schemes described above, allof the recipient's direct ancestor PKGs are able to decrypt messages tothe recipient. However, because the dual-HIDE schemes incorporate thekey generation secret of PKG_(l−1) (the immediate parent of PKG_(l)),which is unknown to the common ancestor PKGs above PKG_(l−1), thosecommon ancestor PKGs are not able to decrypt messages between the sendery and the recipient z. The immediate parent of PKG_(l) 304 b is stillable to decrypt messages, however, because it knows its own keygeneration secret.

[0115] Key escrow may be further restricted such that even the immediateparent of PKG_(l) may not decrypt messages between the sender y and therecipient z. This may be accomplished by obscuring PKG_(l)'s private keyin the process of generating private keys for the sender y and therecipient z (or private keys for children of PKG_(l) that are ancestorsof the sender y and the recipient z). For instance, PKG_(l) 304 b mayeasily change its private key by setting S′_(l):=S_(l)+bP_(l), andQ′_(l−1):=Q_(l−1)+bP₀, for some random b∈Z/qZ. The new private keyS′_(l) is just as effective, but is unknown to PKG_(l)'s immediateparent. Accordingly, no PKGs above PKG_(l) are able to decode messagesencrypted to the recipient z. More specifically, only ancestors of therecipient z that are within PKG_(l)'s domain are able to decryptmessages to the recipient z.

[0116] When PKG_(l) 304 b changes its private key by settingS′_(l):=S_(l)+bP_(l), and Q′_(l−1):=Q_(l−1)+bP₀, the new private key isstill related to PKG_(l−1)'s key generation secret s_(l−1), because thenew private key is derived from a private key generated by PKG_(l−1)using s^(l−1). In general, in all of the schemes discussed herein, auser or PKG may change its own secret element S_(z(n+1)) and keygeneration parameters Q_(zi) for 1≦i≦n by choosing values for b_(i) for1≦i≦n and setting S′_(z(n+1)):=S_(z(n+1))+Σ_(i=1) ^(n)b_(i)P_(z(i+1))and Q′_(zi):=Q_(zi)+b_(i)P₀ for 1≦i≦n. For purposes of the presentinvention, however, this new private key is still considered to berelated to the original private key, and is thus related to the originalvalues of the key generation secrets s_(zi).

[0117] Dual-HIDE Scheme with More Efficient Encryption or Decryption

[0118] In the dual-HIDE schemes described above, it is possible todecrease by one the number of values of the pairing that the encryptermust compute without increasing the number of values of the pairing thatthe decrypter must compute. For instance, the dual-BasicHIDE Encryptionalgorithm described above may be modified such that the ciphertextC=[rP₀,r(P_(y(l+1))−P_(z(l+1))),rP_(z(l+2)), . . .,rP_(z(n+1)),M⊕H₂(g_(y(l+1)) ^(r))], where$g_{y{({l + 1})}} = {\frac{\hat{e}\left( {P_{0},S_{y{({n + 1})}}} \right)}{\prod\limits_{i = {l + 2}}^{m}\quad {\hat{e}\left( {Q_{y{({i - 1})}},P_{y\quad i}} \right)}} = {{\hat{e}\left( {P_{0},S_{y{({l + 1})}}} \right)}.}}$

[0119] If the ciphertext is representedas  C = [U₀, U_(l + 1), …  , U_(n + 1), V],

[0120] then it may be decrypted using$M = {V \oplus {{H_{2}\left( \frac{{\hat{e}\left( {U_{0},S_{z{({n + 1})}}} \right)}{\hat{e}\left( {U_{l + 1},Q_{z\quad l}} \right)}}{\prod\limits_{i = {l + 2}}^{n}\quad {\hat{e}\left( {Q_{z{({i - 1})}},U_{\quad i}} \right)}} \right)}.}}$

[0121] Likewise, it is possible to decrease by one the number of valuesof the pairing that the decrypter must compute without increasing thenumber of values that the encrypter must compute. For instance, thedual-BasicHIDE Encryption algorithm may be modified such that theciphertext C=[rP₀,rP_(y(l+2)), . . . ,rP_(y(n),M⊕H) ₂ (g_(z(l+1))^(r))], where$g_{z{({l + 1})}} = {\frac{{\hat{e}\left( {P_{0},S_{y{({m + 1})}}} \right)}{\hat{e}\left( {Q_{yl},\left( {P_{z{({l + 1})}} - P_{y{({l + 1})}}} \right)} \right)}}{\prod\limits_{i = {l + 2}}^{m}{\hat{e}\left( {Q_{y{({i - 1})}},P_{yi}} \right)}} = {{\hat{e}\left( {P_{0},S_{z{({l + 1})}}} \right)}.}}$

[0122] If the ciphertext is represented as C=[U₀, U_(l+2), . . .,U_(n),V], then it may be decrypted using$M = {V \oplus {{H_{2}\left( \frac{\hat{e}\left( {U_{0},S_{z{({n + 1})}}} \right)}{\prod\limits_{i = {l + 2}}^{n}{\hat{e}\left( {Q_{z{({i - 1})}},U_{i}} \right)}} \right)}\quad.}}$

[0123] Authenticated Lower-Level Root PKGs

[0124] The efficiencies of the dual-HIDE schemes described above may beextended to message senders who are outside the hierarchy by creating anauthenticated lower-level root PKG. To “authenticate” the lower-levelPKG, the root PKG may issue an additional parameter, such as a randommessage M′. The lower-level PKG then “signs” M′, generating thesignature Sig=S_(zl)+s_(zl)P_(M′), where S_(l) is the lower-level PKG'sprivate key, and s_(t) is its lower-level key generation secret. Thelower-level PKG also publishes Q_(i) for 1≦i≦t.

[0125] Taking advantage of the authenticated lower-level root PKG, asender outside the hierarchy may send an encrypted message to therecipient z without computing public elements P_(zi) for all n of therecipient's ancestor PKGs. Rather, the sender may use the parameters forthe lower-level authenticated root PKG to encrypt the message moreefficiently. In particular, the sender computes P_(zi)=H₁(ID₁, . . . ,ID_(zi))∈G₁ for l+1≦i≦n+1. The sender then chooses a random r∈Z/qZ, andgenerates the ciphertext C=[rP₀,rP_(z(l+1)), . . .,rP_(z(n+1)),M⊕H₂(g_(zl) ^(r))], where$g_{zl} = {\frac{\hat{e}\left( {P_{0},{Sig}} \right)}{\hat{e}\left( {{s_{zl}P_{0}},P_{M^{\prime}}} \right)} = {{\hat{e}\left( {P_{0},S_{zl}} \right)}.}}$

[0126] Letting the received ciphertext C=[U₀,U_(l+1), . . . ,U_(n+1),V],the recipient may then decrypt the ciphertext to recover the message${M = {V \oplus {H_{2}\left\lbrack \frac{\hat{e}\left( {U_{0},S_{z{({n + 1})}}} \right)}{\prod\limits_{i = {l + 1}}^{n + 1}{\hat{e}\left( {Q_{z{({i - 1})}},U_{i}} \right)}} \right\rbrack}}}\quad,$

[0127] where S_(z(n+1)) is the recipient's private key.

[0128] Distributed PKGs

[0129] To further protect the key generation secrets of the HIDE schemesdescribed above, and to make the schemes robust against dishonest PKGs,the key generation secrets and private keys may be distributed usingknown techniques of threshold cryptography.

[0130] More Efficient Encryption

[0131] The efficiency of encryption for the HIDE schemes described abovemay be increased by merging the highest two levels of the hierarchy intoa single root PKG. In that case, g=ê(Q₀,P₁) is included in the systemparameters. This saves encrypters the task of computing the value ofthis pairing. However, the decrypters must compute one extra pairing (asa result of being one level lower down the tree).

[0132] HIDS Schemes

[0133] Turning now to the signature, or HIDS, schemes of the presentinvention, FIG. 7 shows a flow diagram illustrating a method ofgenerating and verifying a digital signature according to anotherpresently preferred embodiment of the invention. The method is performedin a HIDS system including a plurality of PKGs. The PKGs include atleast a root PKG and n lower-level PKGs in the hierarchy between theroot PKG and the sender, or signer, wherein n≧1. In block 702, the rootPKG selects a root key generation secret known only to the root PKG. Theroot key generation secret may be used to generate private keys for PKGsor users below the root PKG in the hierarchy. The root PKG thengenerates a root key generation parameter based on the root keygeneration secret in block 704. The lower-level PKGs select lower-levelkey generation secrets in block 706. The lower-level key generationassociated with a given lower-level PKG may be used to generate privatekeys for PKGs or users below the associated lower-level PKG in thehierarchy. Like the root key generation secret, each of the lower-levelkey generation secrets is known only to its associated lower-level PKG.In block 708, lower-level key generation parameters are generated foreach of the n lower-level PKGs. Each of the lower-level key generationparameters is generated using at least the lower-level key generationsecret for its associated lower-level PKG.

[0134] In block 710, a lower-level PKG generates a private key for therecipient such that the private key is related to at least one of the nlower-level key generation secrets. For instance, the sender's privatekey may be related at least to the lower-level key generation secret ofthe PKG that issued the private key to the recipient. Preferably,however, the recipient's private key may be related to all n of itsancestral PKG's lower-level key generation secrets, as well as the rootkey generation secret. In block 712, the sender uses at least itsprivate key to sign the message and generate the digital signature. Therecipient, or verifier, then verifies the digital signature in block 714using at least one of the lower-level key generation parameters. Forinstance, the signature may be verified using only the root keygeneration parameter. Alternatively, one or more of the lower-level keygeneration parameters also may be used.

[0135]FIG. 8 shows a flow diagram illustrating a method of generatingand verifying a digital signature Sig of a digital message Mcommunicated between a sender y and a recipient z according to anotherpresently preferred embodiment of the invention. The sender y 306 is m+1levels below the root PKG in the hierarchy, as shown in FIG. 3, and isassociated with the ID-tuple (ID_(y1), . . . , ID_(y(m+1))). Thesender's ID-tuple includes identity information ID_(y(m+1))associatedwith the sender, as well as identity information ID_(yi) associated witheach of its m ancestral lower-level PKGs in the hierarchy. The methodbegins in block 802 by generating first and second cyclic groups G₁ andG₂ of elements. In block 804, a function ê is selected, such that thefunction ê is capable of generating an element of the second cyclicgroup G₂ from two elements of the first cyclic group G₁. The function êpreferably is an admissible pairing, as described above. A rootgenerator P₀ of the first cyclic group G₁ is selected in block 806. Inblock 808, a random root key generation secret s₀ associated with andknown only to the root PKG 302 is selected. Preferably, s₀ is an elementof the cyclic group Z/qZ. A root key generation parameter Q₀=s₀P₀ isgenerated in block 810. Preferably, Q₀ is an element of the first cyclicgroup G₁. In block 812, a first function H₁ is selected such that H₁ iscapable of generating an element of the first cyclic group G₁ from afirst string of binary digits. A second function H₃ is selected in block814, such that H₃ is capable of generating a second string of binarydigits from an element of the second cyclic group G₂. The functions ofblocks 802 through 814 are part of the HIDS Root Setup algorithmdescribed above, and preferably are performed at about the same time. Byway of example, functions such as those disclosed in Boneh-Franklin maybe used as H₁ and H₃. In fact, the functions H₁ and H₃ may be exactlythe same function. However, there is a potential pitfall. An attackermay try to get the signer to sign M=ID_(t), wherein ID_(t) represents anactual identity. In this case, the signer's signature may actually be aprivate key, which thereafter may be used to decrypt messages and forgesignatures. This pitfall may be avoided, however, by using someexpedient—such as a bit prefix or a different function for H₃—thatdistinguishes between signing and private key extraction.

[0136] The next series of blocks (blocks 816 through 824) show thefunctions performed as part of Lower-level Setup algorithm. In block816, a public element P_(yi) is generated for each of the sender's mancestral lower-level PKGs. Each of the public elements, P_(yi)=H₁(ID₁,. . . , ID_(yi)) for 1≦i≦m, preferably is an element of the first cyclicgroup G₁. Although represented in a single block, generation of all thepublic elements P_(yi) may take place over time, rather than all atonce.

[0137] A lower-level key generation secret S_(yi) is selected (block818) for each of the sender's m ancestral lower-level PKGs 304 a,b,d.The lower-level key generation secrets s_(yi) preferably are elements ofthe cyclic group Z/qZ for 1≦i≦m, and each lower-level key generationsecret s_(yi) preferably is known only to its associated lower-levelPKG. Again, although represented in a single block, selection of all thesecrets s_(yi) may take place over time, rather than all at once.

[0138] A lower-level secret element S_(yi) is generated (block 820) foreach of the sender's m ancestral lower-level PKGs. Each lower-levelsecret element, S_(yi)=S_(y(i−1))+s_(y(i−1))P_(yi) for 1≦i≦m, preferablyis an element of the first cyclic group G₁. Although represented in asingle block like the public elements P_(yi) and the secrets s_(yi),generation of all the secret elements S_(yi) may take place over time,rather than all at once. For purposes of these iterative key generationprocesses, S₀ preferably is defined to be the identity element of G₁.

[0139] A lower-level key generation parameter Q_(yi) also is generated(block 824) for each of the sender's m ancestral lower-level PKGs. Eachof the key generation parameters, Q_(yi)=s_(yi)P₀ for 1≦i≦m, preferablyis an element of the first cyclic group G₁. Again, although representedin a single block, generation of all the key generation parametersQ_(yi) may take place over time, rather than all at once.

[0140] The functions of the next two blocks (blocks 824 and 826) areperformed as part of the Extraction algorithm described above. A senderpublic element P_(y(m+1)) associated with the sender y is generated inblock 824. The sender public element, P_(y(m+1))=H₁(ID_(y1), . . . ,ID_(y(m+1))), preferably is an element of the first cyclic group G₁. Asender secret element S_(y(m+1)) associated with the sender y is thengenerated in block 826. The sender secret element${S_{y{({m + 1})}} = {{S_{ym} + {s_{ym}P_{y{({m + 1})}}}} = {\sum\limits_{i = 1}^{m + 1}{s_{y{({i - 1})}}P_{yi}}}}}\quad,$

[0141] also preferably is an element of the first cyclic group G₁.

[0142] For convenience, the first function H₁ optionally may be chosento be an iterated function so that, for example, the public points P_(i)may be computed as H₁(P_(y(i−1)), ID_(yi)) rather than H₁ (ID₁, . . . ,ID_(yi)).

[0143] The last two blocks shown in FIG. 8 (blocks 828 and 830)represent the Signing and Verification algorithms described above. Inblock 828, the message M is signed to generate a digital signature Sig.The signing preferably uses at least the sender secret elementS_(y(m+1)). The digital signature Sig is then verified in block 830. Theverification preferably uses at least the root key generation parameterQ₀ and the lower-level key generation parameters Q_(yi). The specificuse of these parameters and elements in the signing of the message M andverification of the digital signature Sig will now be discussed withreference to FIG. 9.

[0144]FIG. 9 shows a flow diagram illustrating a method of generatingand verifying a digital signature Sig of a digital message Mcommunicated between a sender y and a recipient z according to anotherpresently preferred embodiment of the invention. In this scheme the RootSetup, Lower-level Setup, and Extraction algorithms are the same as forthe embodiment shown in blocks 802 through 826 of FIG. 8. Accordingly,the flow diagram of FIG. 9 begins with the selection of a sender keygeneration secret s_(y(m+1)), known only to the sender y, in block 927a. A sender key generation parameter Q_(y(m+1)) associated with thesender is generated in block 927 b using the formulaQ_(y(m+1))=s_(y(m+1))P₀. The Signing algorithm then begins with thesender generating a message element P_(M)=H₃(ID_(y1), . . . ,ID_(y(m+1)), M) in block 928 a. The message element P_(M) preferably isa member of the first cyclic group G₁. The digital signature Sig itselfis generated in block 928 b using the formulaSig=S_(y(m+1))+s_(y(m+1))P_(M). The recipient verifies the digitalsignature Sig (block 930) by confirming that the formula$\frac{\hat{e}\left( {P_{0},{Sig}} \right)}{{\hat{e}\left( {Q_{y{({m + 1})}},P_{M}} \right)}{\prod\limits_{i = 2}^{m + 1}{\hat{e}\left( {Q_{y{({i - 1})}},P_{yi}} \right)}}} = {\hat{e}\left( {Q_{0},P_{1}} \right)}$

[0145] is satisfied.

[0146] The invention has been described in detail with particularreference to preferred embodiments thereof and illustrative examples,but it will be understood that variations and modifications can beeffected within the spirit and scope of the invention.

1. A method of encoding and decoding a digital message between a senderand a recipient, wherein the recipient is n+1 levels below a root PKG ina hierarchical system including a plurality of PKGs, the plurality ofPKGs including at least the root PKG and n lower-level PKGs in thehierarchy between the root PKG and the recipient, wherein n≧1, themethod comprising: selecting a root key generation secret that is knownonly to the root PKG; generating a root key generation parameter basedon the root key generation secret; selecting a lower-level keygeneration secret for each of the n lower-level PKGs, wherein eachlower-level key generation secret is known only to its associatedlower-level PKG; generating a lower-level key generation parameter foreach of the n lower-level PKGs, wherein each lower-level key generationparameter is generated using at least the lower-level key generationsecret for its associated lower-level PKG; encoding the message to forma ciphertext using at least the root key generation parameter andrecipient identity information; generating a recipient private key suchthat the recipient private key is related to at least the root keygeneration secret, one or more of the n lower-level key generationsecrets associated with the n lower-level PKGs in the hierarchy betweenthe root PKG and the recipient, and the recipient identity information;and decoding the ciphertext to recover the message using at least therecipient private key.
 2. A method of encoding and decoding a message asin claim 1, wherein the recipient identity information comprises arecipient ID-tuple (ID_(z1), . . . , ID_(z(n+1))) that includes identityinformation ID_(z(n+1)) associated with the recipient and identityinformation ID_(zi) associated with each of n lower-level PKGs in thehierarchy between the root PKG and the recipient.
 3. A method ofencoding and decoding a message as in claim 1, wherein the recipientprivate key is related to all of the n lower-level key generationsecrets associated with the n lower-level PKGs in the hierarchy betweenthe root PKG and the recipient.
 4. A method of encoding and decoding amessage as in claim 1, wherein encoding the message further includessecuring the ciphertext against chosen-ciphertext attacks.
 5. A methodof encoding and decoding a message as in claim 4: wherein encoding themessage further includes encrypting the message according to asymmetrical encryption scheme to form a symmetrical encryption; andencrypting the symmetrical encryption according to a one-way encryptionscheme to form the ciphertext; and wherein decoding the ciphertextfurther includes decrypting the ciphertext according to the one-wayencryption scheme to recover the symmetrical encryption; and decryptingthe symmetrical encryption according to the symmetrical encryptionscheme to recover the message.
 6. A method of encoding and decoding amessage between a sender and a recipient in a system including aplurality of PKGs, the plurality of PKGs including m lower-level PKGs inthe hierarchy between the root PKG and the sender, wherein m≧1, and nlower-level PKGs in the hierarchy between the root PKG and therecipient, wherein n≧1, wherein at least l of the plurality of PKGs inthe hierarchy are common ancestors to both the sender and the recipient,wherein l≧1, and wherein PKG_(l) is a common ancestor PKG to both thesender and the recipient, the method further comprising: selecting aroot key generation secret that is known only to the root PKG;generating a root key generation parameter based on the root keygeneration secret; selecting a lower-level key generation secret foreach of the m and n lower-level PKGs, wherein each lower-level keygeneration secret is known only to its associated lower-level PKG;generating a lower-level key generation parameter for each of the m andn lower-level PKGs, wherein each lower-level key generation parameter isgenerated using at least the lower-level key generation secret for itsassociated lower-level PKG; generating a sender private key such thatthe sender private key is related to at least sender identityinformation, the root key generation secret, and one or more of the mlower-level key generation secrets associated with the m PKGs betweenthe root PKG and the sender; generating a recipient private key suchthat is related to at least recipient identity information, the root keygeneration secret, and one or more of the n lower-level key generationsecrets associated with the n lower-level PKGs in the hierarchy betweenthe root PKG and the recipient; encoding the message using at least therecipient identity information, the sender private key, and zero or moreof the lower-level key generation parameters associated with the (m−l+1)PKGs between the root PKG and the sender that are at or below the levelof the common ancestor PKG_(l), but not any of the lower-level keygeneration parameters that are associated with the (l−1) PKGs above thecommon ancestor PKG_(l); and decoding the ciphertext using at least therecipient private key and zero or more of the lower-level key generationparameters associated with the (n−l+1) PKGs between the root PKG and therecipient that are at or below the level of the lowest common ancestorPKG_(l), but not using any of the lower-level key generation parametersthat are associated with the (l−1) PKGs that above the common ancestorPKG_(l).
 7. A method of encoding and decoding a message as in claim 6:wherein encoding the message further includes using one or more of thelower-level key generation parameters associated with the (m−l+1) PKGsbetween the root PKG and the sender that are at or below the level ofthe common ancestor PKG_(l); and wherein decoding the message furtherincludes using one or more of the lower-level key generation parametersassociated with the (n−l+1) PKGs between the root PKG and the recipientthat are at or below the level of the lowest common ancestor PKG_(l). 8.A method of encoding and decoding a message as in claim 6: whereinencoding the message further includes using one or more of thelower-level key generation parameters associated with the (m−l+1) PKGsbetween the root PKG and the sender that are at or below the level ofthe common ancestor PKG_(l); and wherein decoding the message furtherincludes using zero of the lower-level key generation parametersassociated with the (n−l+1) PKGs between the root PKG and the recipientthat are at or below the level of the lowest common ancestor PKG_(l). 9.A method of encoding and decoding a message as in claim 6: whereinencoding the message further includes using zero of the lower-level keygeneration parameters associated with the (m−l+1) PKGs between the rootPKG and the sender that are at or below the level of the common ancestorPKG_(l); and wherein decoding the message further includes using one ormore of the lower-level key generation parameters associated with the(n−l+1) PKGs between the root PKG and the recipient that are at or belowthe level of the lowest common ancestor PKG_(l).
 10. A method ofencoding and decoding a message as in claim 6, wherein the message isencoded using all of the lower-level key generation parametersassociated with the (m−l+1) PKGs between the root PKG and the senderthat are at or below the level of the common ancestor PKG_(l).
 11. Amethod of encoding and decoding a message as in claim 6, wherein themessage is decoded using all of the lower-level key generationparameters associated with the (n−l+1) PKGs between the root PKG and therecipient that are at or below the level of the common ancestor PKG_(l).12. A method of generating and verifying a digital signature of amessage between a sender and a recipient, wherein the sender is m+1levels below a root PKG in a hierarchical system including a pluralityof PKGs, the plurality of PKGs including at least the root PKG and mlower-level PKGs in the hierarchy between the root PKG and the sender,wherein m≧1, the method comprising: selecting a root key generationsecret that is known only to the root PKG; generating a root keygeneration parameter based on the root key generation secret; generatinga lower-level key generation secret for each of the m lower-level PKGs,wherein each lower-level key generation secret is known only to itsassociated lower-level PKG; generating a lower-level key generationparameter for each of the m lower-level PKGs, wherein each lower-levelkey generation parameter is generated using at least the lower-level keygeneration secret for its associated lower-level PKG; generating asender private key for the sender such that the sender private key isrelated to at least sender identity information, the root key generationsecret, and one or more of the m lower-level key generation secretsassociated with the m lower-level PKGs in the hierarchy between the rootPKG and the sender; signing the message to generate the digitalsignature using at least the sender private key; and verifying thedigital signature using at least the root key generation parameter andthe sender identity information.
 13. A method of generating andverifying a digital signature as in claim 12, wherein: one or more ofthe lower-level key generation parameters also is used to verify thedigital signature.
 14. A method of generating a private key for anentity in a system including a plurality of PKGs, the plurality of PKGsincluding at least a root PKG and n lower-level PKGs in the hierarchybetween the root PKG and the entity, wherein n≧1, the method comprising:generating a root key generation secret that is known only to the rootPKG; generating a root key generation parameter based on the root keygeneration secret; generating a lower-level key generation secret foreach of the n lower-level PKGs, wherein each lower-level key generationsecret is known only to its associated lower-level PKG; generating alower-level key generation parameter for each of the n lower-level PKGs,wherein each lower-level key generation parameter is generated using atleast the lower-level key generation secret for its associatedlower-level PKG; generating a private key for the entity such that theprivate key is related to at least identity information associated withthe entity, the root key generation secret, and one or more of the nlower-level key generation secrets associated with the n lower-levelPKGs in the hierarchy between the root PKG and the entity; and providingthe private key to the entity.
 15. A method of generating a private keyfor a recipient z in a system, wherein the recipient z is n+1 levelsbelow a root PKG in the hierarchy, and wherein the recipient isassociated with a recipient ID-tuple (ID_(z1), . . . , ID_(z(n+1))) thatincludes identity information ID_(z(n+1)) associated with the recipientand identity information ID_(zi) associated with each of n lower-levelPKGs in the hierarchy between the root PKG and the recipient, the methodcomprising: generating a first cyclic group G₁ of elements and a secondcyclic group G₂ of elements; selecting a function ê capable ofgenerating an element of the second cyclic group G₂ from two elements ofthe first cyclic group G₁; selecting a root generator P₀ of the firstcyclic group G₁; selecting a random root key generation secret s₀associated with and known only to the root PKG; generating a root keygeneration parameter Q₀=s₀P₀; selecting a function H₁ capable ofgenerating an element of the first cyclic group G₁ from a first stringof binary digits; generating a public element P_(zi) for each of the nlower-level PKGs, wherein P_(zi)=H₁(ID₁, . . . , ID_(zi)) for 1≦i≦n;selecting a lower-level key generation secret s_(zi) for each of the nlower-level PKGs, wherein each lower-level key generation secret s_(zi)is known only to its associated lower-level PKG; generating alower-level secret element S_(zi) for each of the n lower-level PKGs,wherein S_(zi)=S_(z(i−1))+s_(z(i−1))P_(zi) for 1≦i≦n, wherein s_(z0)=s₀,and wherein S_(z0) is defined to be zero; generating a lower-level keygeneration parameter Q_(zi) for each of the n lower-level PKGs, whereinQ_(zi)=s_(zi)P₀ for 1≦i≦n generating a recipient public elementP_(z(n+1))=H₁(ID_(z1), . . . , ID_(z(n+1))) associated with therecipient, wherein P_(z(n+1)) is an element of the first cyclic groupG₁; and generating a recipient private key$S_{z{({n + 1})}} = {{S_{zn} + {s_{zn}P_{z{({n + 1})}}}} = {\sum\limits_{i = 1}^{n + 1}{s_{z{({i - 1})}}P_{zi}}}}$

 associated with the recipient.
 16. A method of generating a private keyas in claim 15, wherein: both the first group G₁ and the second group G₂are of the same prime order q.
 17. A method of generating a private keyas in claim 15, wherein: the first cyclic group G₁ is an additive groupof points on a supersingular elliptic curve or abelian variety, and thesecond cyclic group G₂ is a multiplicative subgroup of a finite field.18. A method of generating a private key as in claim 15, wherein: thefunction ê is an admissible pairing.
 19. A method of generating aprivate key as in claim 15, wherein: s₀ is an element of the cyclicgroup Z/qZ; Q₀ is an element of the first cyclic group G₁; each of thepublic elements P_(zi) is an element of the first cyclic group G₁; eachof the lower-level key generation secrets s_(zi) is an element of thecyclic group Z/qZ; each secret element S_(zi) is an element of the firstcyclic group G₁; each of the lower-level key generation parametersQ_(zi) is an element of the first cyclic group G₁; the recipient publicelement P_(z(n+1)) is an element of the first cyclic group G₁; and therecipient private key S_(z(n+1)) is an element of the first cyclic groupG₁.
 20. A method of encoding and decoding a digital message Mcommunicated between a sender and a recipient z, wherein the recipient zis n+1 levels below a root PKG in a hierarchical system, and wherein therecipient is associated with a recipient ID-tuple (ID_(z1), . . . ,ID_(z(n+1))) that includes identity information ID_(z(n+1)) associatedwith the recipient and identity information ID_(zi) associated with eachof n lower-level PKGs in the hierarchy between the root PKG and therecipient, the method comprising: generating a first cyclic group G₁ ofelements and a second cyclic group G₂ of elements; selecting a functionê capable of generating an element of the second cyclic group G₂ fromtwo elements of the first cyclic group G₁; selecting a root generator P₀of the first cyclic group G₁; selecting a random root key generationsecret s₀ associated with and known only to the root PKG; generating aroot key generation parameter Q₀=s₀P₀; selecting a first function H₁capable of generating an element of the first cyclic group G₁ from afirst string of binary digits; selecting a second function H₂ capable ofgenerating a second string of binary digits from an element of thesecond cyclic group G₂; generating a public element P_(zi) for each ofthe n lower-level PKGs, wherein P_(zi)=H₁(ID₁, . . . , ID_(zi)) for1≦i≦n; selecting a lower-level key generation secret s_(zi) for each ofthe n lower-level PKGs, wherein each lower-level key generation secrets_(zi) is known only to its associated lower-level PKG; generating alower-level secret element S_(zi) for each of the n lower-level PKGs,wherein S_(zi)=S_(z(i−1))+s_(z(i−1))P_(zi) for 1≦i≦n, wherein s_(z0)=s₀,and wherein S_(z0) is defined to be zero; generating a lower-level keygeneration parameter Q_(zi) for each of the n lower-level PKGs, whereinQ_(zi)=s_(zi)P₀ for 1≦i≦n; generating a recipient public elementP_(z(n+1))=H₁(ID_(z1), . . . , ID_(z(n+1))) associated with therecipient; generating a recipient secret element$S_{z{({n + 1})}} = {{S_{zn} + {s_{zn}P_{z{({n + 1})}}}} = {\sum\limits_{i = 1}^{n + 1}{s_{z{({i - 1})}}P_{zi}}}}$

 associated with the recipient; encoding the message M to generate aciphertext C using at least the recipient ID-tuple (ID₁, . . . ,ID_(zi)) and the root key generation parameter Q₀; and decoding theciphertext C to recover the message M using at least the recipientsecret element S_(z(n+1)).
 21. A method of encoding and decoding adigital message M as in claim 20, wherein: both the first group G₁ andthe second group G₂ are of the same prime order q.
 22. A method ofencoding and decoding a digital message M as in claim 20, wherein: thefirst cyclic group G₁ is an additive group of points on a supersingularelliptic curve or abelian variety, and the second cyclic group G₂ is amultiplicative subgroup of a finite field.
 23. A method of encoding anddecoding a digital message M as in claim 20, wherein: the function ê isa bilinear, non-degenerate, and efficiently computable pairing.
 24. Amethod of encoding and decoding a digital message M as in claim 20,wherein: s₀ is an element of the cyclic group Z/qZ; Q₀ is an element ofthe first cyclic group G₁; each of the public elements P_(zi) is anelement of the first cyclic group G₁; each of the lower-level keygeneration secrets s_(zi) is an element of the cyclic group Z/qZ; eachsecret element S_(zi) is an element of the first cyclic group G₁; eachof the lower-level key generation parameters Q_(zi) is an element of thefirst cyclic group G₁; the recipient public element P_(z(n+1)) is anelement of the first cyclic group G₁; and the recipient secret elementS_(z(n+1)) is an element of the first cyclic group G₁.
 25. A method ofencoding and decoding a digital message M as in claim 20, wherein:encoding the message M further includes: selecting a random parameter r;and generating the ciphertext C=[U₀, U₂, . . . , V_(n+1), V], whereinU_(i)=rP_(zi) for i=0 and for 2≦i≦n+1, wherein V=M⊕H₂(g^(r)), andwherein g=ê(Q₀, P_(z1)); and decoding the ciphertext C further includes:recovering the message M, using$m = {V \otimes {{H_{2}\left( \frac{\hat{e}\left( {U_{0},S_{z{({n + 1})}}} \right)}{\prod\limits_{i = 2}^{n + 1}{\hat{e}\left( {Q_{i - 1},U_{i}} \right)}} \right)}\quad.}}$


26. A method of encoding and decoding a digital message M as in claim25, wherein: both the first group G₁ and the second group G₂ are of thesame prime order q.
 27. A method of encoding and decoding a digitalmessage M as in claim 25, wherein: the first cyclic group G₁ is anadditive group of points on a supersingular elliptic curve or abelianvariety, and the second cyclic group G₂ is a multiplicative subgroup ofa finite field.
 28. A method of encoding and decoding a digital messageM as in claim 25, wherein: the function ê is a bilinear, non-degenerate,and efficiently computable pairing.
 29. A method of encoding anddecoding a digital message M as in claim 25, wherein: s₀ is an elementof the cyclic group Z/qZ; Q₀ is an element of the first cyclic group G₁;each of the public elements P_(zi) is an element of the first cyclicgroup G₁; each of the lower-level key generation secrets s_(zi) is anelement of the cyclic group Z/qZ; each secret element S_(zi) is anelement of the first cyclic group G₁; each of the lower-level keygeneration parameters Q_(zi) is an element of the first cyclic group G₁;the recipient public element P_(z(n+1)) is an element of the firstcyclic group G₁; the recipient secret element S_(z(n+1)) is an elementof the first cyclic group G₁; r is an element of the cyclic group Z/qZ;and g is an element of the second cyclic group G₂.
 30. A method ofencoding and decoding a digital message M as in claim 20, furthercomprising: selecting a third function H₃ capable of generating aninteger of the cyclic group Z/qZ from a third string of binary digits;and selecting a fourth function H₄ capable of generating a fourth stringof binary digits from a fifth string of binary digits; wherein encodingthe message M further includes: selecting a random binary string σ,selecting a symmetric encryption scheme E; generating a random integerr=H₃(σ, M, W), wherein W=E_(H) ₄ _((σ))(M); and generating theciphertext C=[U₀, U₂, . . . , U_(n+1), V, W], wherein U_(i)=rP_(zi) fori=0 and for 2≦i≦n+1, wherein V=σ⊕H₂(g^(r)), and wherein g=ê(Q₀, P_(z1));and wherein decoding the ciphertext C further includes: recovering therandom binary string σ using${\sigma = {V \oplus {H_{2}\left( \frac{\hat{e}\left( {U_{0},S_{z{({n + 1})}}} \right)}{\prod\limits_{i = 2}^{n + 1}{\hat{e}\left( {Q_{i - 1},U_{i}} \right)}} \right)}}}\quad;$

 and recovering the message M using M=E_(H) ₄ _((σ)) ⁻¹(W).
 31. A methodof encoding and decoding a digital message M as in claim 30, wherein:both the first cyclic group G₁ and the second cyclic group G₂ are of thesame prime order q.
 32. A method of encoding and decoding a digitalmessage M as in claim 30, wherein: the first cyclic group G₁ is anadditive group of points on a supersingular elliptic curve or abelianvariety, and p1 the second cyclic group G₂ is a multiplicative subgroupof a finite field.
 33. A method of encoding and decoding a digitalmessage M as in claim 30, wherein: the function ê is a bilinear,non-degenerate, and efficiently computable pairing.
 34. A method ofencoding and decoding a digital message M as in claim 30, furthercomprising: confirming the internal consistency of the ciphertext C by:computing an experimental random integer r′=H₃(σ, M, W); and confirmingthat U₀=r′P₀ and U_(i)=r′P_(zi) for 2≦i≦n+1.
 35. A method of encodingand decoding a digital message M as in claim 30, wherein: s₀ is anelement of the cyclic group Z/qZ; Q₀ is an element of the first cyclicgroup G₁; each of the public elements P_(zi) is an element of the firstcyclic group G_(i); each of the lower-level key generation secretss_(zi) is an element of the cyclic group Z/qZ; each secret elementS_(zi) is an element of the first cyclic group G₁; each of thelower-level key generation parameters Q_(zi) is an element of the firstcyclic group G₁; the recipient public element P_(z(n+1)) is an elementof the first cyclic group G₁; the recipient secret element S_(z(n+1)) isan element of the first cyclic group G₁; r is an element of the cyclicgroup Z/qZ; and g is an element of the second cyclic group G₂.
 36. Amethod of encoding and decoding a digital message M between a sender yand a recipient z in a system including a plurality of PKGs, theplurality of PKGs including m lower-level PKGs in the hierarchy betweenthe root PKG and the sender y, wherein m≧1, and n lower level PKGs inthe hierarchy between the root PKG and the recipient z, wherein n≧1,wherein at least l of the PKGs in the hierarchy are common ancestors toboth the sender y and the recipient z, wherein l≧1, wherein PKG_(l) is acommon ancestor PKG to both the sender and the recipient, wherein thesender y is associated with a sender ID-tuple (ID_(y1), . . . ,ID_(y(m+1))) that includes identity information ID_(y(m+1)) associatedwith the sender y and identity information ID_(yi) associated with eachof m lower-level PKGs in the hierarchy between the root PKG and thesender y, and wherein the recipient is associated with a recipientID-tuple (ID_(zl), . . . , ID_(z(n+1))) that includes identityinformation ID_(z(n+1)) associated with the recipient and identityinformation ID_(zi) associated with each of n lower-level PKGs in thehierarchy between the root PKG and the recipient, the method furthercomprising: generating a first cyclic group G₁ of elements and a secondcyclic group G₂ of elements; selecting a function ê capable ofgenerating an element of the second cyclic group G₂ from two elements ofthe first cyclic group G₁; selecting a root generator P₀ of the firstcyclic group G₁; selecting a random root key generation secret s₀associated with and known only to the root PKG; generating a root keygeneration parameter Q₀=s₀P₀; selecting a first function H₁ capable ofgenerating an element of the first cyclic group G₁ from a first stringof binary digits; selecting a second function H₂ capable of generating asecond string of binary digits from an element of the second cyclicgroup G₂; generating a public element P_(yi) for each of the mlower-level PKGs, wherein P_(yi)=H₁(ID_(y1), . . . , ID_(yi)) for 1≦i≦m,and wherein P_(yi)=P_(zi) for all i≦l; generating a public elementP_(zi) for each of the n lower-level PKGs, wherein P_(zi)=H₁(ID₁, . . ., ID_(zi)) for 1≦i≦n; selecting a lower-level key generation secrets_(yi) for each of the m lower-level PKGs, wherein s_(yi)=s_(zi) for alli≦l; selecting a lower-level key generation secret s_(zi) for each ofthe n lower-level PKGs, wherein each lower-level key generation secrets_(zi) is known only to its associated lower-level PKG; generating alower-level secret element S_(yi) for each of the m lower-level PKGs,wherein S_(yi)=S_(y(i−1))+s_(y(i-1))P_(yi) for 1≦i≦m, and whereinS_(yi)=S_(zi) for all i≦l; generating a lower-level secret elementS_(zi) for each of the n lower-level PKGs, whereinS_(zi)=S_(z(i−1))+s_(z(i−))P_(zi) for 1≦i≦n, wherein s_(z0)=s₀, andwherein S_(z0) is defined to be zero; generating a lower-level keygeneration parameter Q_(yi) for each of the m lower-level PKGs, whereinQ_(yi)=s_(yi)P₀ for 1≦i≦m, and wherein Q_(yi)=Q_(zi) for all i≦l;generating a lower-level key generation parameter Q_(zi) for each of then lower-level PKGs, wherein Q_(zi)=s_(zi)P₀ for 1≦i≦n; generating asender public element P_(y(m+1))=H_(1(ID) _(y1), . . . , ID_(y(m+1)))associated with the sender y; generating a recipient public elementP_(z(n+1))=H₁(ID_(z1), . . . , ID_(z(n+1))) associated with therecipient; generating a sender secret element$S_{y{({m + 1})}} = {{S_{ym} + {s_{ym}P_{y{({m + 1})}}}} = {\sum\limits_{i = 1}^{m + 1}\quad {s_{y{({i - 1})}}P_{yi}}}}$

 associated with the sender; generating a recipient secret element$S_{z{({n + 1})}} = {{S_{zn} + {S_{zn}P_{z{({n + 1})}}}} = {\sum\limits_{i = 1}^{n + 1}\quad {s_{z{({i - 1})}}P_{zi}}}}$

 associated with the recipient; encoding the message M to generate aciphertext C using at least the lower-level key generation parametersQ_(yi) for l<i≦m and the sender secret element S_(y(m+1)), but not usingthe lower-level key generation parameters Q_(yi) for i<l; and decodingthe ciphertext C to recover the message M using at least the lower-levelkey generation parameters Q_(zi) for l<i≦n and the recipient secretelement S_(z(n+1)), but not using the lower-level key generationparameters Q_(zi) for i<l.
 37. A method of encoding and decoding adigital message M as in claim 36, wherein encoding the message M furtherincludes using the lower level key generation parameter Q_(yl).
 38. Amethod of encoding and decoding a digital message M as in claim 36,wherein decoding the message M further includes using the lower levelkey generation parameter Q_(zl).
 39. A method of encoding and decoding adigital message M as in claim 36, wherein: both the first cyclic groupG₁ and the second cyclic group G₂ are of the same prime order q.
 40. Amethod of encoding and decoding a digital message M as in claim 36,wherein: the first cyclic group G₁ is an additive group of points on asupersingular elliptic curve or abelian variety, and the second cyclicgroup G₂ is a multiplicative subgroup of a finite field.
 41. A method ofencoding and decoding a digital message M as in claim 36, wherein: thefunction ê is a bilinear, non-degenerate, and efficiently computablepairing.
 42. A method of encoding and decoding a digital message M as inclaim 36, wherein: S₀ is an element of the cyclic group Z/qZ; Q₀ is anelement of the first cyclic group G₁; each of the public elements P_(zi)is an element of the first cyclic group G₁; each of the public elementsP_(yi) is an element of the first cyclic group G; each of thelower-level key generation secrets s_(zi) is an element of the cyclicgroup Z/qZ; each of the lower-level key generation secrets S_(yi) is anelement of the cyclic group Z/qZ; each secret element S_(zi) is anelement of the first cyclic group G₁; each secret element S_(yi) is anelement of the first cyclic group G₁; each of the lower-level keygeneration parameters Q_(zi) is an element of the first cyclic group G₁;each of the lower-level key generation parameters Q_(yi) is an elementof the first cyclic group G₁; the recipient public element P_(z(n+1)) isan element of the first cyclic group G₁; the sender public elementP_(y(m+1)) is an element of the first cyclic group G₁; the recipientsecret element S_(z(n+1)) is an element of the first cyclic group G₁;the sender secret element S_(y(m+1)) is an element of the first cyclicgroup G₁; r is an element of the cyclic group Z/qZ; and g is an elementof the second cyclic group G₂.
 43. A method of encoding and decoding amessage as in claim 36: wherein encoding the message M further includes:selecting a random parameter r; and encoding the message M to generate aciphertext C=[U₀, U_(l+1), . . . , U_(n+1), V], wherein U₀=rP₀, whereinU_(i)=rP_(zi) for l+1≦i<n+1, wherein V=M ⊕H₂(g_(yl) ^(r)), and${{wherein}\quad g_{yi}} = \frac{\hat{e}\left( {P_{0},\quad S_{y{({m + 1})}}} \right)}{\prod\limits_{i = {l + 1}}^{m + 1}\quad {\hat{e}\left( {Q_{y{({i - 1})}},\quad P_{yi}} \right)}}$

decoding the ciphertext C further includes: recovering the message Musing$M = {V \oplus {{H_{2}\left( \frac{e\left( {U_{0},\quad S_{z{({n + 1})}}} \right)}{\prod\limits_{i = {l + 1}}^{n + 1}\quad {e\left( {Q_{z{({i - 1})}},\quad U_{zi}} \right)}} \right)}\quad.}}$


44. A method of encoding and decoding a digital message M as in claim43, wherein: both the first cyclic group G₁ and the second cyclic groupG₂ are of the same prime order q.
 45. A method of encoding and decodinga digital message M as in claim 43, wherein: the first cyclic group G₁is an additive group of points on a supersingular elliptic curve orabelian variety, and the second cyclic group G₂ is a multiplicativesubgroup of a finite field.
 46. A method of encoding and decoding adigital message M as in claim 43, wherein: the function ê is a bilinear,non-degenerate, and efficiently computable pairing.
 47. A method ofencoding and decoding a digital message M as in claim 43, wherein: s₀ isan element of the cyclic group Z/qZ; Q₀ is an element of the firstcyclic group G₁; each of the public elements P_(zi) is an element of thefirst cyclic group G₁; each of the public elements P_(yi) is an elementof the first cyclic group G; each of the lower-level key generationsecrets s_(zi) is an element of the cyclic group Z/qZ; each of thelower-level key generation secrets s_(yi) is an element of the cyclicgroup Z/qZ; each secret element S_(zi) is an element of the first cyclicgroup G₁; each secret element S_(yi) is an element of the first cyclicgroup G₁; each of the lower-level key generation parameters Q_(zi) is anelement of the first cyclic group G₁; each of the lower-level keygeneration parameters Q_(yi) is an element of the first cyclic group G₁;the recipient public element P_(z(n+1)) is an element of the firstcyclic group G₁; the sender public element P_(y(m+1)) is an element ofthe first cyclic group G₁; the recipient secret element S_(z(n+1)) is anelement of the first cyclic group G₁; the sender secret elementS_(y(m+1)) is an element of the first cyclic group G₁; r is an elementof the cyclic group Z/qZ; and g_(yl) is an element of the second cyclicgroup G₂.
 48. A method of encoding and decoding a digital message M asin claim 36: wherein encoding the message M further includes: selectinga random parameter r; and encoding the message M to generate aciphertext C=[U₀, U_(l+1), . . . , U_(n+1), V], wherein U₀=rP₀, whereinU_(l+1)=r(P_(y(l+1))−P_(z(l+1))), wherein U_(i)=rP_(zi) for l+2≦i≦n,wherein V=M⊕H₂(g_(y(l+1)) ^(r)), and wherein${g_{y{({l + 1})}} = {\frac{\hat{e}\left( {P_{0},\quad S_{y{({n + 1})}}} \right)}{\prod\limits_{i = {l + 2}}^{m}\quad {\hat{e}\left( {Q_{y{({i - 1})}},\quad P_{yi}} \right)}} = {\hat{e}\left( {P_{0},\quad S_{y{({l + 1})}}} \right)}}};$

 and decoding the ciphertext C further includes: recovering the messageM using$M = {V \oplus {{H_{2}\left( \frac{{\hat{e}\left( {U_{0},\quad S_{z{({n + 1})}}} \right)}{\hat{e}\left( {U_{l + 1},\quad Q_{zl}} \right)}}{\prod\limits_{i = {l + 2}}^{n}\quad {\hat{e}\left( {Q_{z{({i - 1})}},\quad U_{i}} \right)}} \right)}\quad.}}$


49. A method of encoding and decoding a digital message M as in claim36: wherein encoding the message M further includes: selecting a randomparameter r; and encoding the message M to generate a ciphertext C=[U₀,U_(l+2), . . . , U_(n), V], wherein U₀=rP₀, wherein U_(i)=rP_(zi) forl+2≦i≦n wherein V=M⊕H₂(g_(z(l+1)) ^(r)), and wherein${g_{z{({l + 1})}} = {\frac{{\hat{e}\left( {P_{0},\quad S_{y{({m + 1})}}} \right)}{\hat{e}\left( {Q_{yl},\quad \left( {P_{z{({l + 1})}} - P_{y{({l + 1})}}} \right)} \right)}}{\prod\limits_{i = {l + 2}}^{m}\quad {\hat{e}\left( {Q_{y{({i - 1})}},\quad P_{yi}} \right)}} = {\hat{e}\left( {P_{0},\quad S_{z{({l + 1})}}} \right)}}};$

 and decoding the ciphertext C further includes: recovering the messageM using$M = {V \oplus {{H_{2}\left( \frac{\hat{e}\left( {U_{0},\quad S_{z{({n + 1})}}} \right)}{\prod\limits_{i = {l + 2}}^{n}\quad {\hat{e}\left( {Q_{z{({i - 1})}},\quad U_{i}} \right)}} \right)}\quad.}}$


50. A method of encoding and decoding a digital message M as in claim36, further comprising: selecting a third function H₃ capable ofgenerating an integer of the cyclic group Z/qZ from a third string ofbinary digits; and selecting a fourth function H₄ capable of generatinga fourth string of binary digits from a fifth string of binary digits;wherein encoding the message M further includes: selecting a randombinary string σ; computing a random integer r=H₃(σ, M, W), whereinW=E_(H) ₄ _((σ))(M); and generating the ciphertext C=[U₀, U_(l+1), . . ., U_(n+1), V, W], wherein U_(i)=rP_(zi) for i=0 and for l+1≦i≦n+1,wherein V=σ⊕H₂(g_(yl) ^(r)), and wherein${g_{yl} = \frac{\hat{e}\left( {P_{0},\quad S_{y{({m + 1})}}} \right)}{\prod\limits_{i = {l + 1}}^{m + 1}\quad {\hat{e}\left( {Q_{y{({i - 1})}},\quad P_{yi}} \right)}}};$

 and wherein decoding the ciphertext C further includes: recovering therandom binary string σ using${\sigma = {V \oplus {H_{2}\left( \frac{\hat{e}\left( {U_{0},\quad S_{z{({n + 1})}}} \right)}{\prod\limits_{i = {l + 1}}^{n + 1}\quad {\hat{e}\left( {Q_{z{({i - 1})}},\quad U_{zi}} \right)}} \right)}}};$

 and recovering the message M using M=E_(H) ₄ _((σ)) ⁻¹(W).
 51. A methodof encoding and decoding a digital message M as in claim 49, wherein:both the first cyclic group G₁ and the second cyclic group G₂ are of thesame prime order q.
 52. A method of encoding and decoding a digitalmessage M as in claim 49, wherein: the first cyclic group G₁ is anadditive group of points on a supersingular elliptic curve or abelianvariety, and the second cyclic group G₂ is a multiplicative subgroup ofa finite field.
 53. A method of encoding and decoding a digital messageM as in claim 49, wherein: the function ê is a bilinear, non-degenerate,and efficiently computable pairing.
 54. A method of encoding anddecoding a digital message M as in claim 49, wherein: s₀ is an elementof the cyclic group Z/qZ; Q₀ is an element of the first cyclic group G₁;each of the public elements P_(zi) is an element of the first cyclicgroup G₁; each of the public elements P_(yi) is an element of the firstcyclic group G; each of the lower-level key generation secrets s_(zi) isan element of the cyclic group Z/qZ; each of the lower-level keygeneration secrets s_(yi) is an element of the cyclic group Z/qZ; eachsecret element S_(zi) is an element of the first cyclic group G₁; eachsecret element S_(yi) is an element of the first cyclic group G₁; eachof the lower-level key generation parameters Q_(zi) is an element of thefirst cyclic group G₁; each of the lower-level key generation parametersQ_(yi) is an element of the first cyclic group G₁; the recipient publicelement P_(z(n+1)) is an element of the first cyclic group G₁; thesender public element P_(y(m+1)) is an element of the first cyclic groupG₁; the recipient secret element S_(z(n+1)) is an element of the firstcyclic group (G₁; the sender secret element S_(y(m+1)) is an element ofthe first cyclic group G₁; r is an element of the cyclic group Z/qZ; andg_(yl) is an element of the second cyclic group G₂.
 55. A method ofencoding and decoding a digital message M as in claim 49, furthercomprising: confirming the internal consistency of the ciphertext C by:computing an experimental random integer r′=H₃(σ, M, W); and confirmingthat U₀=r′P₀ and U_(i)=r′P_(zi) for l+1≦i≦n+1.
 56. A method ofgenerating and verifying a digital signature Sig of a digital message Mcommunicated between a sender and a recipient, wherein the sender is m+1levels below a root PKG in a hierarchical system, and wherein the senderis associated with a sender ID-tuple (ID_(y1), . . . , ID_(y(m+1))) thatincludes identity information ID_(y(m+1)) associated with the sender andidentity information ID_(yi) associated with each of m lower-level PKGsin the hierarchy between the root PKG and the sender, the methodcomprising: generating a first cyclic group G₁ of elements and a secondcyclic group G₂ of elements; selecting a bilinear, non-degeneratepairing ê capable of generating an element of the second cyclic group G₂from two elements of the first cyclic group G₁; selecting a rootgenerator P₀ of the first cyclic group G₁; selecting a random root keygeneration secret s₀ associated with and known only to the root PKG;generating a root key generation parameter Q₀=s₀P₀; selecting a firstfunction H₁ capable of generating an element of the first cyclic groupG₁ from a first string of binary digits; generating a public elementP_(yi) for each of the m lower-level PKGs, wherein P_(yi)=H₁(ID_(y1), .. . , ID_(yi)) for 1≦i≦m; selecting a lower-level key generation secrets_(yi) for each of the n lower-level PKGs, wherein each lower-level keygeneration secret s_(yi) is known only to its associated lower-levelPKG; generating a lower-level secret element S_(yi) for each of the mlower-level PKGs, wherein S_(yi)=S_(y(i−1))+S_(y(i−1))P_(yi) for 1≦i≦m,;generating a lower-level key generation parameter Q_(yi) for each of them lower-level PKGs, wherein Q_(yi)=S_(yi)P₀ for 1≦i≦m; generating asender public element P_(y(m+1))=H₁(IDy₁, . . . , ID_(y(m+1)))associated with the sender; generating a sender secret elementS_(y(m+1))=S_(ym)+s_(ym)P_(y(m+1))=Σ_(i=1) ^(m+1)s_(y(i−1))P_(yi)associated with the sender; signing the message M to generate a digitalsignature Sig using at least the sender secret element S_(y(m+1)); andverifying the digital signature Sig using at least the root keygeneration parameter Q₀ and the lower-level key generation parametersQ_(yi).
 57. A method of generating and verifying a digital signature Sigas in claim 56, wherein: both the first group G₁ and the second group G₂are of the same prime order q.
 58. A method of generating and verifyinga digital signature Sig as in claim 56, wherein: the first cyclic groupG₁ is an additive group of points on a supersingular elliptic curve orabelian variety, and the second cyclic group G₂ is a multiplicativesubgroup of a finite field.
 59. A method of encoding and decoding adigital message M as in claim 56, wherein: the function ê is a bilinear,non-degenerate, and efficiently computable pairing.
 60. A method ofencoding and decoding a digital message M as in claim 56, wherein: s₀ isan element of the cyclic group Z/qZ; Q₀ is an element of the firstcyclic group G₁; each of the public elements P_(yi) is an element of thefirst cyclic group G; each of the lower-level key generation secretss_(yi) is an element of the cyclic group Z/qZ; each secret elementS_(yi) is an element of the first cyclic group G₁; each of thelower-level key generation parameters Q_(yi) is an element of the firstcyclic group G₁; the sender public element P_(y(m+1)) is an element ofthe first cyclic group G₁; and the sender secret element S_(y(m+1)) isan element of the first cyclic group G₁.
 61. A method of generating andverifying a digital signature Sig as in claim 56, further comprising:selecting a second function H₃ capable of generating an element of thefirst cyclic group G₁ from a second string of binary digits; selecting asender key generation secret s_(y(m+1)) for the sender y, wherein thesender key generation secret s_(y(m+1)) is known only to the sender; andgenerating a sender key generation parameter Q_(y(m+1)) associated withthe sender, wherein Q_(y(m+1))=s_(y(m+1))P₀; wherein signing the messageM further includes: generating a message element P_(M)=H₃(ID_(y1), . . ., ID_(y(m+1)), M), wherein the message element P_(M) is an element ofthe first cyclic group G₁; and generating the digital signature Sigusing Sig=S_(y(m+1))+S_(y(m+1))P_(M); and wherein verifying the digitalsignature Sig further includes: confirming that$\frac{\hat{e}\left( {P_{0},{Sig}} \right)}{{\hat{e}\left( {Q_{y{({m + 1})}},P_{M}} \right)}{\prod\limits_{i = 2}^{m + 1}\quad {\hat{e}\left( {Q_{y{({i - 1})}},P_{yi}} \right)}}} = {{\hat{e}\left( {Q_{0},P_{1}} \right)}.}$


62. A method of generating and verifying a digital signature Sig as inclaim 61, wherein: both the first group G₁ and the second group G₂ areof the same prime order q.
 63. A method of generating and verifying adigital signature Sig as in claim 61, wherein: the first cyclic group G₁is an additive group of points on a supersingular elliptic curve orabelian variety, and the second cyclic group G₂ is a multiplicativesubgroup of a finite field.
 64. A method of encoding and decoding adigital message M as in claim 61, wherein: the function ê is a bilinear,non-degenerate, and efficiently computable pairing.
 65. A method ofencoding and decoding a digital message M as in claim 61, wherein: s₀ isan element of the cyclic group Z/qZ; Q₀ is an element of the firstcyclic group G₁; each of the public elements P_(yi) is an element of thefirst cyclic group G; each of the lower-level key generation secretss_(yi) and the sender key generation secret S_(y(m+1)) is an element ofthe cyclic group Z/qZ; each secret element S_(yi) is an element of thefirst cyclic group G₁; each of the lower-level key generation parametersQ_(yi) and the sender key generation parameter Q_(y(m+1)) is an elementof the first cyclic group G₁; the sender public element P_(y(m+1)) is anelement of the first cyclic group G₁; and the sender secret elementS_(y(m+1)) is an element of the first cyclic group G₁.